Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U0110#U1eb7t h#U00e0ng.exe

Overview

General Information

Sample name:#U0110#U1eb7t h#U00e0ng.exe
renamed because original name is a hash value
Original sample name:t hng.exe
Analysis ID:1520354
MD5:f02a7d343b0827be9bebee347d4b81eb
SHA1:db7f73bf065dc3fb344d34c1e8292d731b3db96a
SHA256:3068f372435cd29582de3a4a6f37f37aa6bec7750dd789b67c050173af33a75b
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #U0110#U1eb7t h#U00e0ng.exe (PID: 636 cmdline: "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe" MD5: F02A7D343B0827BE9BEBEE347D4B81EB)
    • powershell.exe (PID: 7064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • #U0110#U1eb7t h#U00e0ng.exe (PID: 3572 cmdline: "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe" MD5: F02A7D343B0827BE9BEBEE347D4B81EB)
    • MpCmdRun.exe (PID: 3572 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f613:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c270:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x142bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: #U0110#U1eb7t h#U00e0ng.exe PID: 636JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e813:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16862:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f613:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", ParentImage: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe, ParentProcessId: 636, ParentProcessName: #U0110#U1eb7t h#U00e0ng.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", ProcessId: 7064, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", ParentImage: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe, ParentProcessId: 636, ParentProcessName: #U0110#U1eb7t h#U00e0ng.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", ProcessId: 7064, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", ParentImage: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe, ParentProcessId: 636, ParentProcessName: #U0110#U1eb7t h#U00e0ng.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe", ProcessId: 7064, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: #U0110#U1eb7t h#U00e0ng.exeReversingLabs: Detection: 50%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: #U0110#U1eb7t h#U00e0ng.exeJoe Sandbox ML: detected
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: #U0110#U1eb7t h#U00e0ng.exe, 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: #U0110#U1eb7t h#U00e0ng.exe, #U0110#U1eb7t h#U00e0ng.exe, 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp
            Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000000.00000002.1458898426.0000000002CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large array initializations
            Source: #U0110#U1eb7t h#U00e0ng.exe, Veiculo.csLarge array initialization: : array initializer size 635888
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0042C8B3 NtClose,4_2_0042C8B3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_014F2DF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_014F2C70
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F35C0 NtCreateMutant,LdrInitializeThunk,4_2_014F35C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F4340 NtSetContextThread,4_2_014F4340
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F4650 NtSuspendThread,4_2_014F4650
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2B60 NtClose,4_2_014F2B60
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2BE0 NtQueryValueKey,4_2_014F2BE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2BF0 NtAllocateVirtualMemory,4_2_014F2BF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2B80 NtQueryInformationFile,4_2_014F2B80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2BA0 NtEnumerateValueKey,4_2_014F2BA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2AD0 NtReadFile,4_2_014F2AD0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2AF0 NtWriteFile,4_2_014F2AF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2AB0 NtWaitForSingleObject,4_2_014F2AB0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2D00 NtSetInformationFile,4_2_014F2D00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2D10 NtMapViewOfSection,4_2_014F2D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2D30 NtUnmapViewOfSection,4_2_014F2D30
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2DD0 NtDelayExecution,4_2_014F2DD0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2DB0 NtEnumerateKey,4_2_014F2DB0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2C60 NtCreateKey,4_2_014F2C60
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2C00 NtQueryInformationProcess,4_2_014F2C00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2CC0 NtQueryVirtualMemory,4_2_014F2CC0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2CF0 NtOpenProcess,4_2_014F2CF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2CA0 NtQueryInformationToken,4_2_014F2CA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2F60 NtCreateProcessEx,4_2_014F2F60
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2F30 NtCreateSection,4_2_014F2F30
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2FE0 NtCreateFile,4_2_014F2FE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2F90 NtProtectVirtualMemory,4_2_014F2F90
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2FA0 NtQuerySection,4_2_014F2FA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2FB0 NtResumeThread,4_2_014F2FB0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2E30 NtWriteVirtualMemory,4_2_014F2E30
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2EE0 NtQueueApcThread,4_2_014F2EE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2E80 NtReadVirtualMemory,4_2_014F2E80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2EA0 NtAdjustPrivilegesToken,4_2_014F2EA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F3010 NtOpenDirectoryObject,4_2_014F3010
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F3090 NtSetValueKey,4_2_014F3090
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F39B0 NtGetContextThread,4_2_014F39B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F3D70 NtOpenThread,4_2_014F3D70
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F3D10 NtOpenProcessToken,4_2_014F3D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 0_2_053401300_2_05340130
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 0_2_053401200_2_05340120
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004100734_2_00410073
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004028F04_2_004028F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004011504_2_00401150
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004031204_2_00403120
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004169CE4_2_004169CE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004169D34_2_004169D3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004102934_2_00410293
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0040E3134_2_0040E313
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004024004_2_00402400
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004025A04_2_004025A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0042EF034_2_0042EF03
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015481584_2_01548158
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B01004_2_014B0100
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155A1184_2_0155A118
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015781CC4_2_015781CC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015801AA4_2_015801AA
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157A3524_2_0157A352
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE3F04_2_014CE3F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015803E64_2_015803E6
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015602744_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015402C04_2_015402C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C05354_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015805914_2_01580591
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015724464_2_01572446
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0156E4F64_2_0156E4F6
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E47504_2_014E4750
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C07704_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BC7C04_2_014BC7C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DC6E04_2_014DC6E0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D69624_2_014D6962
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A04_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0158A9A64_2_0158A9A6
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CA8404_2_014CA840
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C28404_2_014C2840
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE8F04_2_014EE8F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A68B84_2_014A68B8
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157AB404_2_0157AB40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01576BD74_2_01576BD7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA804_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CAD004_2_014CAD00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE04_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D8DBF4_2_014D8DBF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0C004_2_014C0C00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0CF24_2_014B0CF2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560CB54_2_01560CB5
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01534F404_2_01534F40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01502F284_2_01502F28
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E0F304_2_014E0F30
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B2FC84_2_014B2FC8
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CCFE04_2_014CCFE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153EFA04_2_0153EFA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0E594_2_014C0E59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157EE264_2_0157EE26
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157EEDB4_2_0157EEDB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157CE934_2_0157CE93
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2E904_2_014D2E90
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F516C4_2_014F516C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0158B16B4_2_0158B16B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AF1724_2_014AF172
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CB1B04_2_014CB1B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C70C04_2_014C70C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0156F0CC4_2_0156F0CC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157F0E04_2_0157F0E0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015770E94_2_015770E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AD34C4_2_014AD34C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157132D4_2_0157132D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0150739A4_2_0150739A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DB2C04_2_014DB2C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015612ED4_2_015612ED
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C52A04_2_014C52A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015775714_2_01577571
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155D5B04_2_0155D5B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B14604_2_014B1460
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157F43F4_2_0157F43F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157F7B04_2_0157F7B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015716CC4_2_015716CC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C99504_2_014C9950
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DB9504_2_014DB950
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152D8004_2_0152D800
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C38E04_2_014C38E0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157FB764_2_0157FB76
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01535BF04_2_01535BF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014FDBF94_2_014FDBF9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DFB804_2_014DFB80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01577A464_2_01577A46
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157FA494_2_0157FA49
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01533A6C4_2_01533A6C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0156DAC64_2_0156DAC6
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01505AA04_2_01505AA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155DAAC4_2_0155DAAC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C3D404_2_014C3D40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01571D5A4_2_01571D5A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01577D734_2_01577D73
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DFDC04_2_014DFDC0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01539C324_2_01539C32
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157FCF24_2_0157FCF2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157FF094_2_0157FF09
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C1F924_2_014C1F92
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157FFB14_2_0157FFB1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C9EB04_2_014C9EB0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: String function: 0153F290 appears 105 times
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: String function: 01507E54 appears 98 times
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: String function: 014AB970 appears 272 times
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: String function: 014F5130 appears 37 times
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: String function: 0152EA12 appears 86 times
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000000.00000000.1433054710.00000000009E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameblVY.exeD vs #U0110#U1eb7t h#U00e0ng.exe
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000000.00000002.1472239349.0000000007D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs #U0110#U1eb7t h#U00e0ng.exe
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000000.00000002.1457803334.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs #U0110#U1eb7t h#U00e0ng.exe
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000004.00000002.1551765717.00000000015AD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs #U0110#U1eb7t h#U00e0ng.exe
            Source: #U0110#U1eb7t h#U00e0ng.exeBinary or memory string: OriginalFilenameblVY.exeD vs #U0110#U1eb7t h#U00e0ng.exe
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, cRJMoTiXTybVwry646.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, xVjhx20jlGCcV4GrvJ.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, xVjhx20jlGCcV4GrvJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, xVjhx20jlGCcV4GrvJ.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, xVjhx20jlGCcV4GrvJ.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, xVjhx20jlGCcV4GrvJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, xVjhx20jlGCcV4GrvJ.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, cRJMoTiXTybVwry646.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/7@1/0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U0110#U1eb7t h#U00e0ng.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:760:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5d03lhp.x14.ps1Jump to behavior
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: #U0110#U1eb7t h#U00e0ng.exeReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: #U0110#U1eb7t h#U00e0ng.exe, 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: #U0110#U1eb7t h#U00e0ng.exe, #U0110#U1eb7t h#U00e0ng.exe, 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: #U0110#U1eb7t h#U00e0ng.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.2cd81e4.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, xVjhx20jlGCcV4GrvJ.cs.Net Code: hr1esCT20I System.Reflection.Assembly.Load(byte[])
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7260000.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, xVjhx20jlGCcV4GrvJ.cs.Net Code: hr1esCT20I System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00405130 push 276952D9h; iretd 4_2_00405135
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041E990 push edx; ret 4_2_0041E991
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00404A47 push edi; retf 4_2_00404A48
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041F2F5 push edi; iretd 4_2_0041F30F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041AA8F push ebx; ret 4_2_0041AB40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041F303 push edi; iretd 4_2_0041F30F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00411B28 pushad ; ret 4_2_00411B29
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_004033A0 push eax; ret 4_2_004033A2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00415C53 push 4D40979Fh; retf AA07h4_2_00415DF1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00426DE3 push edi; ret 4_2_00426DEE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041EDBB push eax; iretd 4_2_0041EDD2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00404E7A push ebp; ret 4_2_00404E7B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00404EC0 push A00DC95Eh; retf 4_2_00404EF3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00408686 pushad ; retf 4_2_00408687
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B09AD push ecx; mov dword ptr [esp], ecx4_2_014B09B6
            Source: #U0110#U1eb7t h#U00e0ng.exeStatic PE information: section name: .text entropy: 7.957791733986186
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.2cd81e4.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, XRrxQnBmkxEPytENfx.csHigh entropy of concatenated method names: 'H22pw8iWPY', 'XMkpUo3qvY', 'P0RAouIuG8', 'd9UAmANgxU', 'kO8pxekENJ', 'h7dpdU7tSH', 'klOpbIKCjT', 'qTep1SaiLr', 'AOmpHGgFdh', 'FZupQVZ7Bj'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, cRJMoTiXTybVwry646.csHigh entropy of concatenated method names: 'XpFq14Errc', 'rASqHqpSwR', 'fusqQUTfep', 'OUOqZtLZK3', 'QbRqDiOX8X', 'Xi4q6KuBdE', 'w0gqWv4KBB', 'QnfqwY9BEG', 'XWyq38bSHo', 'pXjqU6ng32'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, OaBd9E7ldQpDNBOyZV.csHigh entropy of concatenated method names: 'jjGA8lGRw5', 'hD5Atf4M22', 'zkRAYX88W4', 'CWuAueQOPB', 'QHCA16cQWT', 'BqVAgVMSLY', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, xnU5gZPT9GTwKWUuxl.csHigh entropy of concatenated method names: 'Dispose', 'yEBm3bEn0Y', 'cRiat8fKYF', 'V10220Pkoj', 'ngtmUfxu9N', 'CZLmzX6aqB', 'ProcessDialogKey', 'vLJaoVyGnp', 'NI5am4LvvU', 'csSaa5FElq'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, BwQs3QoiSZhNPAMyFf.csHigh entropy of concatenated method names: 'LrcLB2o6QP', 'okbLKPmTZA', 'mMXLsQikmE', 'm7oLr9PnFK', 'aXKL4WCY4d', 'mPPLkPfGMw', 'TkgLElpnFk', 'pvuLCLJ58t', 'gqeL9BFQBW', 'qmcLlGFVh8'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, Ae3uc25pKxVHuB9wsK.csHigh entropy of concatenated method names: 'ItgN0Ny8eF', 'geGNqLGhye', 'GQcNGBsSkk', 'dgiNLjxD2I', 'RlLNylXL7J', 'i1oGDIgEB6', 'AD8G6m6HSD', 'zTWGWdOhgD', 'zOsGwoSiYA', 'rcjG3IVhmV'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, sc9l2sgT48EMTk8cQE.csHigh entropy of concatenated method names: 'k61TCMo3eL', 'PJLT9oTawF', 'UFbT8oTnjE', 'oJiTtj8JOK', 'BgcTuiG2F1', 'EFITgdfehA', 'e2ZTnWKkKi', 'msUT5svg5p', 'idZTVd6Cqx', 'JORTxhWEAr'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, eoXTuOUZ5rt5DLT2w5.csHigh entropy of concatenated method names: 'JAPPrW5iXv', 'EQiPkOltbV', 'c6qPC8aLF7', 'rgAP9veZmD', 'qJYPvcEP1n', 'rNTPfkE4Ms', 'lD7PpGplCd', 'VkNPAP1IDM', 'PcZPJpQr0F', 'epQPitXHBs'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, W3GtWY9W2pKRkao04P.csHigh entropy of concatenated method names: 'zE9JmkGe3b', 'bxFJFZZIP1', 'X6MJejCfld', 'Oo0JIvU3yu', 'N1GJqh82h2', 'PLBJG3Icuw', 'A0FJNjW1Jm', 'LacAWYetlm', 'FbnAwLVW8K', 'BBkA3xYIGP'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, xVjhx20jlGCcV4GrvJ.csHigh entropy of concatenated method names: 'sewF0BpS7T', 'W9gFIB4yLc', 'CBEFqAuYB3', 'wxNFPpls5b', 'xE6FGQoRHG', 'AcBFNDjvcB', 'pbVFLulwAt', 'PPoFyGyw5s', 'BQiFc92U7B', 'i2NFOkcZSZ'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, dTrRSA3XO2mOSXLrcI.csHigh entropy of concatenated method names: 'u9emLaFxLJ', 'GTYmyHLTwX', 'nEWmOVC6jC', 'uY8mMpbuoX', 'QY6mvuRLHZ', 'r7omfOxagI', 'e8ZDUdJra8nR5Dp1uH', 'dbiSGfXCTcHJBO8WbS', 'DxPmmTmeAq', 'eQbmFEsmpi'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, vcHXLAJO0ffSh4bVJHS.csHigh entropy of concatenated method names: 'gMQJBQ21Ku', 'he5JK5WDjW', 'RUvJsCbiCS', 'EOkJrIVE62', 'MUxJ41FqJI', 'nv2Jk1OtOk', 'hx6JEvoO4G', 'z21JCx8tnP', 'lOMJ9cQXtZ', 'Gv5Jlr3twT'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, hO8nSasJav9UyVLY4F.csHigh entropy of concatenated method names: 'iT6LIYhiLi', 'f0QLPhZiXh', 'PRuLN492Xm', 'L5eNUxIZyp', 'QpjNzWtPSZ', 'k38LoIWrbu', 'PeILmmtshB', 'aGVLa0iR40', 'Eq4LFfXOfT', 'A4tLeJY7yX'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, XR4jqfYbDb932ymW66.csHigh entropy of concatenated method names: 'L8DAIFcp8B', 'DTbAqBE6IK', 'WtKAPOqS9I', 'PepAGXvEqV', 'AM5ANwYjxo', 'W6MALnN992', 'SJ3AyYFQrY', 'hy1AcrxK4M', 'o2hAOlpR1D', 'XDyAM0xX8c'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, C6dUNc2aiiTGB6oWBa.csHigh entropy of concatenated method names: 'sFjsZo11I', 'o8PrJI3Q0', 'OmskbDIdR', 'ifoEeZ6Ev', 'LAn9foYw8', 'ExAlutTgk', 'BHEtij5pyJXmOLupQq', 'S8V0wMcR2Ui88VdBAR', 'LNuAa6ilc', 'eX2iDZjKo'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, Fo4avqJyoilUwS5Vjj3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wR4i1bZTS9', 'khbiH3HKDm', 'eCdiQ4VHP8', 'qmBiZWK25Y', 'OahiDoxyMa', 'uTii6HdoVh', 'oM3iWUCYLb'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, mfj228vbgkyAfAl2w9.csHigh entropy of concatenated method names: 'dxepOb8Aac', 'f4xpMcpLMD', 'ToString', 'we8pIspspW', 'ynppqfY20Y', 'lanpPm9KQN', 'nsBpGMuUpg', 'mtrpNYcZmF', 'c8JpL5Trj4', 'ukmpy3ZVYy'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, Ge7jNdrX4GOV7n9aCG.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MBNa3nGRPb', 'NROaU5qZpQ', 'bMfazpuZ9Y', 'JmlFo36fDI', 'PQHFmlJwLZ', 'WhmFa8ySto', 'kT6FFWqDOd', 'sjbm7kSWQsxZQEwDmcq'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7d70000.4.raw.unpack, NRk5ZTJ2xhwfaslfNH8.csHigh entropy of concatenated method names: 'cvLiBWvyH7', 'gT1iKg5Tqk', 'f49isvkvhH', 'ulxYxa8Z1RmejVSPu6h', 'anJQhh8VCdoIWQmbfdi', 'c0K50A8ifMKIWqG73yH', 'miV4ny8pcYR7XeKwym9'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.7260000.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, XRrxQnBmkxEPytENfx.csHigh entropy of concatenated method names: 'H22pw8iWPY', 'XMkpUo3qvY', 'P0RAouIuG8', 'd9UAmANgxU', 'kO8pxekENJ', 'h7dpdU7tSH', 'klOpbIKCjT', 'qTep1SaiLr', 'AOmpHGgFdh', 'FZupQVZ7Bj'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, cRJMoTiXTybVwry646.csHigh entropy of concatenated method names: 'XpFq14Errc', 'rASqHqpSwR', 'fusqQUTfep', 'OUOqZtLZK3', 'QbRqDiOX8X', 'Xi4q6KuBdE', 'w0gqWv4KBB', 'QnfqwY9BEG', 'XWyq38bSHo', 'pXjqU6ng32'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, OaBd9E7ldQpDNBOyZV.csHigh entropy of concatenated method names: 'jjGA8lGRw5', 'hD5Atf4M22', 'zkRAYX88W4', 'CWuAueQOPB', 'QHCA16cQWT', 'BqVAgVMSLY', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, xnU5gZPT9GTwKWUuxl.csHigh entropy of concatenated method names: 'Dispose', 'yEBm3bEn0Y', 'cRiat8fKYF', 'V10220Pkoj', 'ngtmUfxu9N', 'CZLmzX6aqB', 'ProcessDialogKey', 'vLJaoVyGnp', 'NI5am4LvvU', 'csSaa5FElq'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, BwQs3QoiSZhNPAMyFf.csHigh entropy of concatenated method names: 'LrcLB2o6QP', 'okbLKPmTZA', 'mMXLsQikmE', 'm7oLr9PnFK', 'aXKL4WCY4d', 'mPPLkPfGMw', 'TkgLElpnFk', 'pvuLCLJ58t', 'gqeL9BFQBW', 'qmcLlGFVh8'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, Ae3uc25pKxVHuB9wsK.csHigh entropy of concatenated method names: 'ItgN0Ny8eF', 'geGNqLGhye', 'GQcNGBsSkk', 'dgiNLjxD2I', 'RlLNylXL7J', 'i1oGDIgEB6', 'AD8G6m6HSD', 'zTWGWdOhgD', 'zOsGwoSiYA', 'rcjG3IVhmV'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, sc9l2sgT48EMTk8cQE.csHigh entropy of concatenated method names: 'k61TCMo3eL', 'PJLT9oTawF', 'UFbT8oTnjE', 'oJiTtj8JOK', 'BgcTuiG2F1', 'EFITgdfehA', 'e2ZTnWKkKi', 'msUT5svg5p', 'idZTVd6Cqx', 'JORTxhWEAr'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, eoXTuOUZ5rt5DLT2w5.csHigh entropy of concatenated method names: 'JAPPrW5iXv', 'EQiPkOltbV', 'c6qPC8aLF7', 'rgAP9veZmD', 'qJYPvcEP1n', 'rNTPfkE4Ms', 'lD7PpGplCd', 'VkNPAP1IDM', 'PcZPJpQr0F', 'epQPitXHBs'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, W3GtWY9W2pKRkao04P.csHigh entropy of concatenated method names: 'zE9JmkGe3b', 'bxFJFZZIP1', 'X6MJejCfld', 'Oo0JIvU3yu', 'N1GJqh82h2', 'PLBJG3Icuw', 'A0FJNjW1Jm', 'LacAWYetlm', 'FbnAwLVW8K', 'BBkA3xYIGP'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, xVjhx20jlGCcV4GrvJ.csHigh entropy of concatenated method names: 'sewF0BpS7T', 'W9gFIB4yLc', 'CBEFqAuYB3', 'wxNFPpls5b', 'xE6FGQoRHG', 'AcBFNDjvcB', 'pbVFLulwAt', 'PPoFyGyw5s', 'BQiFc92U7B', 'i2NFOkcZSZ'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, dTrRSA3XO2mOSXLrcI.csHigh entropy of concatenated method names: 'u9emLaFxLJ', 'GTYmyHLTwX', 'nEWmOVC6jC', 'uY8mMpbuoX', 'QY6mvuRLHZ', 'r7omfOxagI', 'e8ZDUdJra8nR5Dp1uH', 'dbiSGfXCTcHJBO8WbS', 'DxPmmTmeAq', 'eQbmFEsmpi'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, vcHXLAJO0ffSh4bVJHS.csHigh entropy of concatenated method names: 'gMQJBQ21Ku', 'he5JK5WDjW', 'RUvJsCbiCS', 'EOkJrIVE62', 'MUxJ41FqJI', 'nv2Jk1OtOk', 'hx6JEvoO4G', 'z21JCx8tnP', 'lOMJ9cQXtZ', 'Gv5Jlr3twT'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, hO8nSasJav9UyVLY4F.csHigh entropy of concatenated method names: 'iT6LIYhiLi', 'f0QLPhZiXh', 'PRuLN492Xm', 'L5eNUxIZyp', 'QpjNzWtPSZ', 'k38LoIWrbu', 'PeILmmtshB', 'aGVLa0iR40', 'Eq4LFfXOfT', 'A4tLeJY7yX'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, XR4jqfYbDb932ymW66.csHigh entropy of concatenated method names: 'L8DAIFcp8B', 'DTbAqBE6IK', 'WtKAPOqS9I', 'PepAGXvEqV', 'AM5ANwYjxo', 'W6MALnN992', 'SJ3AyYFQrY', 'hy1AcrxK4M', 'o2hAOlpR1D', 'XDyAM0xX8c'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, C6dUNc2aiiTGB6oWBa.csHigh entropy of concatenated method names: 'sFjsZo11I', 'o8PrJI3Q0', 'OmskbDIdR', 'ifoEeZ6Ev', 'LAn9foYw8', 'ExAlutTgk', 'BHEtij5pyJXmOLupQq', 'S8V0wMcR2Ui88VdBAR', 'LNuAa6ilc', 'eX2iDZjKo'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, Fo4avqJyoilUwS5Vjj3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wR4i1bZTS9', 'khbiH3HKDm', 'eCdiQ4VHP8', 'qmBiZWK25Y', 'OahiDoxyMa', 'uTii6HdoVh', 'oM3iWUCYLb'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, mfj228vbgkyAfAl2w9.csHigh entropy of concatenated method names: 'dxepOb8Aac', 'f4xpMcpLMD', 'ToString', 'we8pIspspW', 'ynppqfY20Y', 'lanpPm9KQN', 'nsBpGMuUpg', 'mtrpNYcZmF', 'c8JpL5Trj4', 'ukmpy3ZVYy'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, Ge7jNdrX4GOV7n9aCG.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MBNa3nGRPb', 'NROaU5qZpQ', 'bMfazpuZ9Y', 'JmlFo36fDI', 'PQHFmlJwLZ', 'WhmFa8ySto', 'kT6FFWqDOd', 'sjbm7kSWQsxZQEwDmcq'
            Source: 0.2.#U0110#U1eb7t h#U00e0ng.exe.3f69180.1.raw.unpack, NRk5ZTJ2xhwfaslfNH8.csHigh entropy of concatenated method names: 'cvLiBWvyH7', 'gT1iKg5Tqk', 'f49isvkvhH', 'ulxYxa8Z1RmejVSPu6h', 'anJQhh8VCdoIWQmbfdi', 'c0K50A8ifMKIWqG73yH', 'miV4ny8pcYR7XeKwym9'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: #U0110#U1eb7t h#U00e0ng.exe PID: 636, type: MEMORYSTR
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: 7F40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: 8F40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: 9100000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: A100000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041AA8F rdtsc 4_2_0041AA8F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5801Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2352Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe TID: 7112Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2680Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4932Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe TID: 4028Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000000.00000002.1472239349.0000000007D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: uivmCiAQOo
            Source: #U0110#U1eb7t h#U00e0ng.exe, 00000000.00000002.1471607527.00000000079DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`J
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0041AA8F rdtsc 4_2_0041AA8F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_00417983 LdrLoadDll,4_2_00417983
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01548158 mov eax, dword ptr fs:[00000030h]4_2_01548158
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01544144 mov eax, dword ptr fs:[00000030h]4_2_01544144
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01544144 mov eax, dword ptr fs:[00000030h]4_2_01544144
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01544144 mov ecx, dword ptr fs:[00000030h]4_2_01544144
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01544144 mov eax, dword ptr fs:[00000030h]4_2_01544144
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01544144 mov eax, dword ptr fs:[00000030h]4_2_01544144
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AC156 mov eax, dword ptr fs:[00000030h]4_2_014AC156
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6154 mov eax, dword ptr fs:[00000030h]4_2_014B6154
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6154 mov eax, dword ptr fs:[00000030h]4_2_014B6154
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01570115 mov eax, dword ptr fs:[00000030h]4_2_01570115
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155A118 mov ecx, dword ptr fs:[00000030h]4_2_0155A118
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155A118 mov eax, dword ptr fs:[00000030h]4_2_0155A118
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155A118 mov eax, dword ptr fs:[00000030h]4_2_0155A118
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155A118 mov eax, dword ptr fs:[00000030h]4_2_0155A118
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E0124 mov eax, dword ptr fs:[00000030h]4_2_014E0124
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E1D0 mov eax, dword ptr fs:[00000030h]4_2_0152E1D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E1D0 mov eax, dword ptr fs:[00000030h]4_2_0152E1D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0152E1D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E1D0 mov eax, dword ptr fs:[00000030h]4_2_0152E1D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E1D0 mov eax, dword ptr fs:[00000030h]4_2_0152E1D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015761C3 mov eax, dword ptr fs:[00000030h]4_2_015761C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015761C3 mov eax, dword ptr fs:[00000030h]4_2_015761C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E01F8 mov eax, dword ptr fs:[00000030h]4_2_014E01F8
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015861E5 mov eax, dword ptr fs:[00000030h]4_2_015861E5
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F0185 mov eax, dword ptr fs:[00000030h]4_2_014F0185
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153019F mov eax, dword ptr fs:[00000030h]4_2_0153019F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153019F mov eax, dword ptr fs:[00000030h]4_2_0153019F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153019F mov eax, dword ptr fs:[00000030h]4_2_0153019F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153019F mov eax, dword ptr fs:[00000030h]4_2_0153019F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AA197 mov eax, dword ptr fs:[00000030h]4_2_014AA197
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AA197 mov eax, dword ptr fs:[00000030h]4_2_014AA197
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AA197 mov eax, dword ptr fs:[00000030h]4_2_014AA197
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0156C188 mov eax, dword ptr fs:[00000030h]4_2_0156C188
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0156C188 mov eax, dword ptr fs:[00000030h]4_2_0156C188
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536050 mov eax, dword ptr fs:[00000030h]4_2_01536050
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B2050 mov eax, dword ptr fs:[00000030h]4_2_014B2050
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DC073 mov eax, dword ptr fs:[00000030h]4_2_014DC073
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01534000 mov ecx, dword ptr fs:[00000030h]4_2_01534000
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE016 mov eax, dword ptr fs:[00000030h]4_2_014CE016
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE016 mov eax, dword ptr fs:[00000030h]4_2_014CE016
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE016 mov eax, dword ptr fs:[00000030h]4_2_014CE016
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE016 mov eax, dword ptr fs:[00000030h]4_2_014CE016
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01546030 mov eax, dword ptr fs:[00000030h]4_2_01546030
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AA020 mov eax, dword ptr fs:[00000030h]4_2_014AA020
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AC020 mov eax, dword ptr fs:[00000030h]4_2_014AC020
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015320DE mov eax, dword ptr fs:[00000030h]4_2_015320DE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B80E9 mov eax, dword ptr fs:[00000030h]4_2_014B80E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AA0E3 mov ecx, dword ptr fs:[00000030h]4_2_014AA0E3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015360E0 mov eax, dword ptr fs:[00000030h]4_2_015360E0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AC0F0 mov eax, dword ptr fs:[00000030h]4_2_014AC0F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F20F0 mov ecx, dword ptr fs:[00000030h]4_2_014F20F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B208A mov eax, dword ptr fs:[00000030h]4_2_014B208A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015760B8 mov eax, dword ptr fs:[00000030h]4_2_015760B8
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015760B8 mov ecx, dword ptr fs:[00000030h]4_2_015760B8
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015480A8 mov eax, dword ptr fs:[00000030h]4_2_015480A8
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157A352 mov eax, dword ptr fs:[00000030h]4_2_0157A352
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153035C mov eax, dword ptr fs:[00000030h]4_2_0153035C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153035C mov eax, dword ptr fs:[00000030h]4_2_0153035C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153035C mov eax, dword ptr fs:[00000030h]4_2_0153035C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153035C mov ecx, dword ptr fs:[00000030h]4_2_0153035C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153035C mov eax, dword ptr fs:[00000030h]4_2_0153035C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153035C mov eax, dword ptr fs:[00000030h]4_2_0153035C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01532349 mov eax, dword ptr fs:[00000030h]4_2_01532349
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155437C mov eax, dword ptr fs:[00000030h]4_2_0155437C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA30B mov eax, dword ptr fs:[00000030h]4_2_014EA30B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA30B mov eax, dword ptr fs:[00000030h]4_2_014EA30B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA30B mov eax, dword ptr fs:[00000030h]4_2_014EA30B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AC310 mov ecx, dword ptr fs:[00000030h]4_2_014AC310
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D0310 mov ecx, dword ptr fs:[00000030h]4_2_014D0310
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA3C0 mov eax, dword ptr fs:[00000030h]4_2_014BA3C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA3C0 mov eax, dword ptr fs:[00000030h]4_2_014BA3C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA3C0 mov eax, dword ptr fs:[00000030h]4_2_014BA3C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA3C0 mov eax, dword ptr fs:[00000030h]4_2_014BA3C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA3C0 mov eax, dword ptr fs:[00000030h]4_2_014BA3C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA3C0 mov eax, dword ptr fs:[00000030h]4_2_014BA3C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B83C0 mov eax, dword ptr fs:[00000030h]4_2_014B83C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B83C0 mov eax, dword ptr fs:[00000030h]4_2_014B83C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B83C0 mov eax, dword ptr fs:[00000030h]4_2_014B83C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B83C0 mov eax, dword ptr fs:[00000030h]4_2_014B83C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015363C0 mov eax, dword ptr fs:[00000030h]4_2_015363C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0156C3CD mov eax, dword ptr fs:[00000030h]4_2_0156C3CD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C03E9 mov eax, dword ptr fs:[00000030h]4_2_014C03E9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E63FF mov eax, dword ptr fs:[00000030h]4_2_014E63FF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE3F0 mov eax, dword ptr fs:[00000030h]4_2_014CE3F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE3F0 mov eax, dword ptr fs:[00000030h]4_2_014CE3F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE3F0 mov eax, dword ptr fs:[00000030h]4_2_014CE3F0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AE388 mov eax, dword ptr fs:[00000030h]4_2_014AE388
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AE388 mov eax, dword ptr fs:[00000030h]4_2_014AE388
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AE388 mov eax, dword ptr fs:[00000030h]4_2_014AE388
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D438F mov eax, dword ptr fs:[00000030h]4_2_014D438F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D438F mov eax, dword ptr fs:[00000030h]4_2_014D438F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A8397 mov eax, dword ptr fs:[00000030h]4_2_014A8397
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A8397 mov eax, dword ptr fs:[00000030h]4_2_014A8397
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A8397 mov eax, dword ptr fs:[00000030h]4_2_014A8397
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01538243 mov eax, dword ptr fs:[00000030h]4_2_01538243
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01538243 mov ecx, dword ptr fs:[00000030h]4_2_01538243
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6259 mov eax, dword ptr fs:[00000030h]4_2_014B6259
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AA250 mov eax, dword ptr fs:[00000030h]4_2_014AA250
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A826B mov eax, dword ptr fs:[00000030h]4_2_014A826B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01560274 mov eax, dword ptr fs:[00000030h]4_2_01560274
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4260 mov eax, dword ptr fs:[00000030h]4_2_014B4260
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4260 mov eax, dword ptr fs:[00000030h]4_2_014B4260
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4260 mov eax, dword ptr fs:[00000030h]4_2_014B4260
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A823B mov eax, dword ptr fs:[00000030h]4_2_014A823B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA2C3 mov eax, dword ptr fs:[00000030h]4_2_014BA2C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA2C3 mov eax, dword ptr fs:[00000030h]4_2_014BA2C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA2C3 mov eax, dword ptr fs:[00000030h]4_2_014BA2C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA2C3 mov eax, dword ptr fs:[00000030h]4_2_014BA2C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA2C3 mov eax, dword ptr fs:[00000030h]4_2_014BA2C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C02E1 mov eax, dword ptr fs:[00000030h]4_2_014C02E1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C02E1 mov eax, dword ptr fs:[00000030h]4_2_014C02E1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C02E1 mov eax, dword ptr fs:[00000030h]4_2_014C02E1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE284 mov eax, dword ptr fs:[00000030h]4_2_014EE284
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE284 mov eax, dword ptr fs:[00000030h]4_2_014EE284
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01530283 mov eax, dword ptr fs:[00000030h]4_2_01530283
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01530283 mov eax, dword ptr fs:[00000030h]4_2_01530283
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01530283 mov eax, dword ptr fs:[00000030h]4_2_01530283
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C02A0 mov eax, dword ptr fs:[00000030h]4_2_014C02A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C02A0 mov eax, dword ptr fs:[00000030h]4_2_014C02A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015462A0 mov eax, dword ptr fs:[00000030h]4_2_015462A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015462A0 mov ecx, dword ptr fs:[00000030h]4_2_015462A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015462A0 mov eax, dword ptr fs:[00000030h]4_2_015462A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015462A0 mov eax, dword ptr fs:[00000030h]4_2_015462A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015462A0 mov eax, dword ptr fs:[00000030h]4_2_015462A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015462A0 mov eax, dword ptr fs:[00000030h]4_2_015462A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8550 mov eax, dword ptr fs:[00000030h]4_2_014B8550
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8550 mov eax, dword ptr fs:[00000030h]4_2_014B8550
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E656A mov eax, dword ptr fs:[00000030h]4_2_014E656A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E656A mov eax, dword ptr fs:[00000030h]4_2_014E656A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E656A mov eax, dword ptr fs:[00000030h]4_2_014E656A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01546500 mov eax, dword ptr fs:[00000030h]4_2_01546500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584500 mov eax, dword ptr fs:[00000030h]4_2_01584500
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE53E mov eax, dword ptr fs:[00000030h]4_2_014DE53E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE53E mov eax, dword ptr fs:[00000030h]4_2_014DE53E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE53E mov eax, dword ptr fs:[00000030h]4_2_014DE53E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE53E mov eax, dword ptr fs:[00000030h]4_2_014DE53E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE53E mov eax, dword ptr fs:[00000030h]4_2_014DE53E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0535 mov eax, dword ptr fs:[00000030h]4_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0535 mov eax, dword ptr fs:[00000030h]4_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0535 mov eax, dword ptr fs:[00000030h]4_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0535 mov eax, dword ptr fs:[00000030h]4_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0535 mov eax, dword ptr fs:[00000030h]4_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0535 mov eax, dword ptr fs:[00000030h]4_2_014C0535
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE5CF mov eax, dword ptr fs:[00000030h]4_2_014EE5CF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE5CF mov eax, dword ptr fs:[00000030h]4_2_014EE5CF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B65D0 mov eax, dword ptr fs:[00000030h]4_2_014B65D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA5D0 mov eax, dword ptr fs:[00000030h]4_2_014EA5D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA5D0 mov eax, dword ptr fs:[00000030h]4_2_014EA5D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC5ED mov eax, dword ptr fs:[00000030h]4_2_014EC5ED
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC5ED mov eax, dword ptr fs:[00000030h]4_2_014EC5ED
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE5E7 mov eax, dword ptr fs:[00000030h]4_2_014DE5E7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B25E0 mov eax, dword ptr fs:[00000030h]4_2_014B25E0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E4588 mov eax, dword ptr fs:[00000030h]4_2_014E4588
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B2582 mov eax, dword ptr fs:[00000030h]4_2_014B2582
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B2582 mov ecx, dword ptr fs:[00000030h]4_2_014B2582
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE59C mov eax, dword ptr fs:[00000030h]4_2_014EE59C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015305A7 mov eax, dword ptr fs:[00000030h]4_2_015305A7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015305A7 mov eax, dword ptr fs:[00000030h]4_2_015305A7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015305A7 mov eax, dword ptr fs:[00000030h]4_2_015305A7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D45B1 mov eax, dword ptr fs:[00000030h]4_2_014D45B1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D45B1 mov eax, dword ptr fs:[00000030h]4_2_014D45B1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EE443 mov eax, dword ptr fs:[00000030h]4_2_014EE443
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A645D mov eax, dword ptr fs:[00000030h]4_2_014A645D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D245A mov eax, dword ptr fs:[00000030h]4_2_014D245A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153C460 mov ecx, dword ptr fs:[00000030h]4_2_0153C460
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DA470 mov eax, dword ptr fs:[00000030h]4_2_014DA470
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DA470 mov eax, dword ptr fs:[00000030h]4_2_014DA470
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DA470 mov eax, dword ptr fs:[00000030h]4_2_014DA470
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E8402 mov eax, dword ptr fs:[00000030h]4_2_014E8402
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E8402 mov eax, dword ptr fs:[00000030h]4_2_014E8402
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E8402 mov eax, dword ptr fs:[00000030h]4_2_014E8402
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AE420 mov eax, dword ptr fs:[00000030h]4_2_014AE420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AE420 mov eax, dword ptr fs:[00000030h]4_2_014AE420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AE420 mov eax, dword ptr fs:[00000030h]4_2_014AE420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014AC427 mov eax, dword ptr fs:[00000030h]4_2_014AC427
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01536420 mov eax, dword ptr fs:[00000030h]4_2_01536420
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA430 mov eax, dword ptr fs:[00000030h]4_2_014EA430
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B04E5 mov ecx, dword ptr fs:[00000030h]4_2_014B04E5
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B64AB mov eax, dword ptr fs:[00000030h]4_2_014B64AB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153A4B0 mov eax, dword ptr fs:[00000030h]4_2_0153A4B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E44B0 mov ecx, dword ptr fs:[00000030h]4_2_014E44B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E674D mov esi, dword ptr fs:[00000030h]4_2_014E674D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E674D mov eax, dword ptr fs:[00000030h]4_2_014E674D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E674D mov eax, dword ptr fs:[00000030h]4_2_014E674D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01534755 mov eax, dword ptr fs:[00000030h]4_2_01534755
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153E75D mov eax, dword ptr fs:[00000030h]4_2_0153E75D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0750 mov eax, dword ptr fs:[00000030h]4_2_014B0750
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2750 mov eax, dword ptr fs:[00000030h]4_2_014F2750
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2750 mov eax, dword ptr fs:[00000030h]4_2_014F2750
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8770 mov eax, dword ptr fs:[00000030h]4_2_014B8770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0770 mov eax, dword ptr fs:[00000030h]4_2_014C0770
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC700 mov eax, dword ptr fs:[00000030h]4_2_014EC700
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0710 mov eax, dword ptr fs:[00000030h]4_2_014B0710
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E0710 mov eax, dword ptr fs:[00000030h]4_2_014E0710
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152C730 mov eax, dword ptr fs:[00000030h]4_2_0152C730
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC720 mov eax, dword ptr fs:[00000030h]4_2_014EC720
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC720 mov eax, dword ptr fs:[00000030h]4_2_014EC720
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E273C mov eax, dword ptr fs:[00000030h]4_2_014E273C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E273C mov ecx, dword ptr fs:[00000030h]4_2_014E273C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E273C mov eax, dword ptr fs:[00000030h]4_2_014E273C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BC7C0 mov eax, dword ptr fs:[00000030h]4_2_014BC7C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015307C3 mov eax, dword ptr fs:[00000030h]4_2_015307C3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D27ED mov eax, dword ptr fs:[00000030h]4_2_014D27ED
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D27ED mov eax, dword ptr fs:[00000030h]4_2_014D27ED
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D27ED mov eax, dword ptr fs:[00000030h]4_2_014D27ED
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B47FB mov eax, dword ptr fs:[00000030h]4_2_014B47FB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B47FB mov eax, dword ptr fs:[00000030h]4_2_014B47FB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153E7E1 mov eax, dword ptr fs:[00000030h]4_2_0153E7E1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B07AF mov eax, dword ptr fs:[00000030h]4_2_014B07AF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CC640 mov eax, dword ptr fs:[00000030h]4_2_014CC640
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA660 mov eax, dword ptr fs:[00000030h]4_2_014EA660
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA660 mov eax, dword ptr fs:[00000030h]4_2_014EA660
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157866E mov eax, dword ptr fs:[00000030h]4_2_0157866E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157866E mov eax, dword ptr fs:[00000030h]4_2_0157866E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E2674 mov eax, dword ptr fs:[00000030h]4_2_014E2674
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C260B mov eax, dword ptr fs:[00000030h]4_2_014C260B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F2619 mov eax, dword ptr fs:[00000030h]4_2_014F2619
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E609 mov eax, dword ptr fs:[00000030h]4_2_0152E609
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B262C mov eax, dword ptr fs:[00000030h]4_2_014B262C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CE627 mov eax, dword ptr fs:[00000030h]4_2_014CE627
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E6620 mov eax, dword ptr fs:[00000030h]4_2_014E6620
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E8620 mov eax, dword ptr fs:[00000030h]4_2_014E8620
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA6C7 mov ebx, dword ptr fs:[00000030h]4_2_014EA6C7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA6C7 mov eax, dword ptr fs:[00000030h]4_2_014EA6C7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E6F2 mov eax, dword ptr fs:[00000030h]4_2_0152E6F2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E6F2 mov eax, dword ptr fs:[00000030h]4_2_0152E6F2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E6F2 mov eax, dword ptr fs:[00000030h]4_2_0152E6F2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E6F2 mov eax, dword ptr fs:[00000030h]4_2_0152E6F2
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015306F1 mov eax, dword ptr fs:[00000030h]4_2_015306F1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015306F1 mov eax, dword ptr fs:[00000030h]4_2_015306F1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4690 mov eax, dword ptr fs:[00000030h]4_2_014B4690
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4690 mov eax, dword ptr fs:[00000030h]4_2_014B4690
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC6A6 mov eax, dword ptr fs:[00000030h]4_2_014EC6A6
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E66B0 mov eax, dword ptr fs:[00000030h]4_2_014E66B0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01530946 mov eax, dword ptr fs:[00000030h]4_2_01530946
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F096E mov eax, dword ptr fs:[00000030h]4_2_014F096E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F096E mov edx, dword ptr fs:[00000030h]4_2_014F096E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014F096E mov eax, dword ptr fs:[00000030h]4_2_014F096E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D6962 mov eax, dword ptr fs:[00000030h]4_2_014D6962
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D6962 mov eax, dword ptr fs:[00000030h]4_2_014D6962
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D6962 mov eax, dword ptr fs:[00000030h]4_2_014D6962
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153C97C mov eax, dword ptr fs:[00000030h]4_2_0153C97C
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153C912 mov eax, dword ptr fs:[00000030h]4_2_0153C912
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A8918 mov eax, dword ptr fs:[00000030h]4_2_014A8918
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A8918 mov eax, dword ptr fs:[00000030h]4_2_014A8918
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E908 mov eax, dword ptr fs:[00000030h]4_2_0152E908
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152E908 mov eax, dword ptr fs:[00000030h]4_2_0152E908
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153892A mov eax, dword ptr fs:[00000030h]4_2_0153892A
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0154892B mov eax, dword ptr fs:[00000030h]4_2_0154892B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157A9D3 mov eax, dword ptr fs:[00000030h]4_2_0157A9D3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015469C0 mov eax, dword ptr fs:[00000030h]4_2_015469C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA9D0 mov eax, dword ptr fs:[00000030h]4_2_014BA9D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA9D0 mov eax, dword ptr fs:[00000030h]4_2_014BA9D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA9D0 mov eax, dword ptr fs:[00000030h]4_2_014BA9D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA9D0 mov eax, dword ptr fs:[00000030h]4_2_014BA9D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA9D0 mov eax, dword ptr fs:[00000030h]4_2_014BA9D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BA9D0 mov eax, dword ptr fs:[00000030h]4_2_014BA9D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E49D0 mov eax, dword ptr fs:[00000030h]4_2_014E49D0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153E9E0 mov eax, dword ptr fs:[00000030h]4_2_0153E9E0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E29F9 mov eax, dword ptr fs:[00000030h]4_2_014E29F9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E29F9 mov eax, dword ptr fs:[00000030h]4_2_014E29F9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015389B3 mov esi, dword ptr fs:[00000030h]4_2_015389B3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015389B3 mov eax, dword ptr fs:[00000030h]4_2_015389B3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_015389B3 mov eax, dword ptr fs:[00000030h]4_2_015389B3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B09AD mov eax, dword ptr fs:[00000030h]4_2_014B09AD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B09AD mov eax, dword ptr fs:[00000030h]4_2_014B09AD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C29A0 mov eax, dword ptr fs:[00000030h]4_2_014C29A0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C2840 mov ecx, dword ptr fs:[00000030h]4_2_014C2840
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4859 mov eax, dword ptr fs:[00000030h]4_2_014B4859
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B4859 mov eax, dword ptr fs:[00000030h]4_2_014B4859
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E0854 mov eax, dword ptr fs:[00000030h]4_2_014E0854
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153E872 mov eax, dword ptr fs:[00000030h]4_2_0153E872
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153E872 mov eax, dword ptr fs:[00000030h]4_2_0153E872
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01546870 mov eax, dword ptr fs:[00000030h]4_2_01546870
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01546870 mov eax, dword ptr fs:[00000030h]4_2_01546870
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153C810 mov eax, dword ptr fs:[00000030h]4_2_0153C810
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2835 mov eax, dword ptr fs:[00000030h]4_2_014D2835
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2835 mov eax, dword ptr fs:[00000030h]4_2_014D2835
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2835 mov eax, dword ptr fs:[00000030h]4_2_014D2835
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2835 mov ecx, dword ptr fs:[00000030h]4_2_014D2835
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2835 mov eax, dword ptr fs:[00000030h]4_2_014D2835
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D2835 mov eax, dword ptr fs:[00000030h]4_2_014D2835
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EA830 mov eax, dword ptr fs:[00000030h]4_2_014EA830
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DE8C0 mov eax, dword ptr fs:[00000030h]4_2_014DE8C0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157A8E4 mov eax, dword ptr fs:[00000030h]4_2_0157A8E4
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC8F9 mov eax, dword ptr fs:[00000030h]4_2_014EC8F9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EC8F9 mov eax, dword ptr fs:[00000030h]4_2_014EC8F9
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0887 mov eax, dword ptr fs:[00000030h]4_2_014B0887
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153C89D mov eax, dword ptr fs:[00000030h]4_2_0153C89D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01546B40 mov eax, dword ptr fs:[00000030h]4_2_01546B40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01546B40 mov eax, dword ptr fs:[00000030h]4_2_01546B40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0157AB40 mov eax, dword ptr fs:[00000030h]4_2_0157AB40
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01558B42 mov eax, dword ptr fs:[00000030h]4_2_01558B42
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ACB7E mov eax, dword ptr fs:[00000030h]4_2_014ACB7E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152EB1D mov eax, dword ptr fs:[00000030h]4_2_0152EB1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DEB20 mov eax, dword ptr fs:[00000030h]4_2_014DEB20
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DEB20 mov eax, dword ptr fs:[00000030h]4_2_014DEB20
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01578B28 mov eax, dword ptr fs:[00000030h]4_2_01578B28
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01578B28 mov eax, dword ptr fs:[00000030h]4_2_01578B28
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0155EBD0 mov eax, dword ptr fs:[00000030h]4_2_0155EBD0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0BCD mov eax, dword ptr fs:[00000030h]4_2_014B0BCD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0BCD mov eax, dword ptr fs:[00000030h]4_2_014B0BCD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0BCD mov eax, dword ptr fs:[00000030h]4_2_014B0BCD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D0BCB mov eax, dword ptr fs:[00000030h]4_2_014D0BCB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D0BCB mov eax, dword ptr fs:[00000030h]4_2_014D0BCB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D0BCB mov eax, dword ptr fs:[00000030h]4_2_014D0BCB
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153CBF0 mov eax, dword ptr fs:[00000030h]4_2_0153CBF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DEBFC mov eax, dword ptr fs:[00000030h]4_2_014DEBFC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8BF0 mov eax, dword ptr fs:[00000030h]4_2_014B8BF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8BF0 mov eax, dword ptr fs:[00000030h]4_2_014B8BF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8BF0 mov eax, dword ptr fs:[00000030h]4_2_014B8BF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0BBE mov eax, dword ptr fs:[00000030h]4_2_014C0BBE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0BBE mov eax, dword ptr fs:[00000030h]4_2_014C0BBE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0A5B mov eax, dword ptr fs:[00000030h]4_2_014C0A5B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014C0A5B mov eax, dword ptr fs:[00000030h]4_2_014C0A5B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B6A50 mov eax, dword ptr fs:[00000030h]4_2_014B6A50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152CA72 mov eax, dword ptr fs:[00000030h]4_2_0152CA72
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0152CA72 mov eax, dword ptr fs:[00000030h]4_2_0152CA72
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECA6F mov eax, dword ptr fs:[00000030h]4_2_014ECA6F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECA6F mov eax, dword ptr fs:[00000030h]4_2_014ECA6F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECA6F mov eax, dword ptr fs:[00000030h]4_2_014ECA6F
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_0153CA11 mov eax, dword ptr fs:[00000030h]4_2_0153CA11
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DEA2E mov eax, dword ptr fs:[00000030h]4_2_014DEA2E
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECA24 mov eax, dword ptr fs:[00000030h]4_2_014ECA24
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECA38 mov eax, dword ptr fs:[00000030h]4_2_014ECA38
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D4A35 mov eax, dword ptr fs:[00000030h]4_2_014D4A35
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D4A35 mov eax, dword ptr fs:[00000030h]4_2_014D4A35
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0AD0 mov eax, dword ptr fs:[00000030h]4_2_014B0AD0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01506ACC mov eax, dword ptr fs:[00000030h]4_2_01506ACC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01506ACC mov eax, dword ptr fs:[00000030h]4_2_01506ACC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01506ACC mov eax, dword ptr fs:[00000030h]4_2_01506ACC
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E4AD0 mov eax, dword ptr fs:[00000030h]4_2_014E4AD0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E4AD0 mov eax, dword ptr fs:[00000030h]4_2_014E4AD0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EAAEE mov eax, dword ptr fs:[00000030h]4_2_014EAAEE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014EAAEE mov eax, dword ptr fs:[00000030h]4_2_014EAAEE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BEA80 mov eax, dword ptr fs:[00000030h]4_2_014BEA80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584A80 mov eax, dword ptr fs:[00000030h]4_2_01584A80
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E8A90 mov edx, dword ptr fs:[00000030h]4_2_014E8A90
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8AA0 mov eax, dword ptr fs:[00000030h]4_2_014B8AA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8AA0 mov eax, dword ptr fs:[00000030h]4_2_014B8AA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01506AA4 mov eax, dword ptr fs:[00000030h]4_2_01506AA4
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0D59 mov eax, dword ptr fs:[00000030h]4_2_014B0D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0D59 mov eax, dword ptr fs:[00000030h]4_2_014B0D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B0D59 mov eax, dword ptr fs:[00000030h]4_2_014B0D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8D59 mov eax, dword ptr fs:[00000030h]4_2_014B8D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8D59 mov eax, dword ptr fs:[00000030h]4_2_014B8D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8D59 mov eax, dword ptr fs:[00000030h]4_2_014B8D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8D59 mov eax, dword ptr fs:[00000030h]4_2_014B8D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014B8D59 mov eax, dword ptr fs:[00000030h]4_2_014B8D59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01548D6B mov eax, dword ptr fs:[00000030h]4_2_01548D6B
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01568D10 mov eax, dword ptr fs:[00000030h]4_2_01568D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01568D10 mov eax, dword ptr fs:[00000030h]4_2_01568D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CAD00 mov eax, dword ptr fs:[00000030h]4_2_014CAD00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CAD00 mov eax, dword ptr fs:[00000030h]4_2_014CAD00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014CAD00 mov eax, dword ptr fs:[00000030h]4_2_014CAD00
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E4D1D mov eax, dword ptr fs:[00000030h]4_2_014E4D1D
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A6D10 mov eax, dword ptr fs:[00000030h]4_2_014A6D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A6D10 mov eax, dword ptr fs:[00000030h]4_2_014A6D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A6D10 mov eax, dword ptr fs:[00000030h]4_2_014A6D10
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01538D20 mov eax, dword ptr fs:[00000030h]4_2_01538D20
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01534DD7 mov eax, dword ptr fs:[00000030h]4_2_01534DD7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01534DD7 mov eax, dword ptr fs:[00000030h]4_2_01534DD7
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DEDD3 mov eax, dword ptr fs:[00000030h]4_2_014DEDD3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DEDD3 mov eax, dword ptr fs:[00000030h]4_2_014DEDD3
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ACDEA mov eax, dword ptr fs:[00000030h]4_2_014ACDEA
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ACDEA mov eax, dword ptr fs:[00000030h]4_2_014ACDEA
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01550DF0 mov eax, dword ptr fs:[00000030h]4_2_01550DF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01550DF0 mov eax, dword ptr fs:[00000030h]4_2_01550DF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE0 mov eax, dword ptr fs:[00000030h]4_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE0 mov eax, dword ptr fs:[00000030h]4_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE0 mov eax, dword ptr fs:[00000030h]4_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE0 mov eax, dword ptr fs:[00000030h]4_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE0 mov eax, dword ptr fs:[00000030h]4_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BADE0 mov eax, dword ptr fs:[00000030h]4_2_014BADE0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D0DE1 mov eax, dword ptr fs:[00000030h]4_2_014D0DE1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014A6DF6 mov eax, dword ptr fs:[00000030h]4_2_014A6DF6
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DCDF0 mov eax, dword ptr fs:[00000030h]4_2_014DCDF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014DCDF0 mov ecx, dword ptr fs:[00000030h]4_2_014DCDF0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E6DA0 mov eax, dword ptr fs:[00000030h]4_2_014E6DA0
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D8DBF mov eax, dword ptr fs:[00000030h]4_2_014D8DBF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014D8DBF mov eax, dword ptr fs:[00000030h]4_2_014D8DBF
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01584DAD mov eax, dword ptr fs:[00000030h]4_2_01584DAD
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01578DAE mov eax, dword ptr fs:[00000030h]4_2_01578DAE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_01578DAE mov eax, dword ptr fs:[00000030h]4_2_01578DAE
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECDB1 mov ecx, dword ptr fs:[00000030h]4_2_014ECDB1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECDB1 mov eax, dword ptr fs:[00000030h]4_2_014ECDB1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014ECDB1 mov eax, dword ptr fs:[00000030h]4_2_014ECDB1
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014E4C59 mov eax, dword ptr fs:[00000030h]4_2_014E4C59
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BAC50 mov eax, dword ptr fs:[00000030h]4_2_014BAC50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BAC50 mov eax, dword ptr fs:[00000030h]4_2_014BAC50
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeCode function: 4_2_014BAC50 mov eax, dword ptr fs:[00000030h]4_2_014BAC50
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeProcess created: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"Jump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeQueries volume information: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.#U0110#U1eb7t h#U00e0ng.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping31
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520354 Sample: #U0110#U1eb7t h#U00e0ng.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 25 18.31.95.13.in-addr.arpa 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected FormBook 2->31 33 7 other signatures 2->33 8 #U0110#U1eb7t h#U00e0ng.exe 4 2->8         started        signatures3 process4 file5 23 C:\Users\...\#U0110#U1eb7t h#U00e0ng.exe.log, ASCII 8->23 dropped 35 Adds a directory exclusion to Windows Defender 8->35 12 powershell.exe 23 8->12         started        15 MpCmdRun.exe 2 8->15         started        17 #U0110#U1eb7t h#U00e0ng.exe 8->17         started        signatures6 process7 signatures8 37 Loading BitLocker PowerShell Module 12->37 19 conhost.exe 12->19         started        21 conhost.exe 15->21         started        process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            #U0110#U1eb7t h#U00e0ng.exe50%ReversingLabsByteCode-MSIL.Trojan.Zilla
            #U0110#U1eb7t h#U00e0ng.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            18.31.95.13.in-addr.arpa
            		unknown
            		unknowntrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name#U0110#U1eb7t h#U00e0ng.exe, 00000000.00000002.1458898426.0000000002CF0000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1520354
              Start date and time:2024-09-27 08:41:08 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 45s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:#U0110#U1eb7t h#U00e0ng.exe
              renamed because original name is a hash value
              Original Sample Name:t hng.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@8/7@1/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 95%
              • Number of executed functions: 12
              • Number of non-executed functions: 264
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: #U0110#U1eb7t h#U00e0ng.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              02:42:05API Interceptor5x Sleep call for process: #U0110#U1eb7t h#U00e0ng.exe modified
              02:42:08API Interceptor9x Sleep call for process: powershell.exe modified
              02:42:51API Interceptor1x Sleep call for process: MpCmdRun.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U0110#U1eb7t h#U00e0ng.exe.log

              Download File
              Process:C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.34331486778365
              Encrypted:false
              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
              MD5:1330C80CAAC9A0FB172F202485E9B1E8
              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
              Malicious:true
              Reputation:high, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):1172
              Entropy (8bit):5.357042452875322
              Encrypted:false
              SSDEEP:24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
              MD5:475D428E7231D005EEA5DB556DBED03F
              SHA1:3D603ED4280E0017D1BEB124D68183F8283B5C22
              SHA-256:1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
              SHA-512:7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13txmx3a.hsl.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:high, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_is0eidbu.bod.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5d03lhp.x14.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jezhzs43.zri.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

              Download File
              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:modified
              Size (bytes):2464
              Entropy (8bit):3.2447134994529985
              Encrypted:false
              SSDEEP:24:QOaqdmuF3rXzV+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVC:FaqdF7XzV+AAHdKoqKFxcxkFNzP
              MD5:3FE580DA93636F26E617E7FC2E8F5D7B
              SHA1:0B1CB4EC7549CC3625C8965E8415889777E04DF7
              SHA-256:DF2944DA109609BE1D76FFFB598738B87D8D71B15F5EE0A8D483094DCE5417E4
              SHA-512:BA362F521E23CD76A4569D5E4812F1D8E8FF04F590263A3754A3CE9DEB734477691C68A2B60BFFB02BE5D74DFC3576B78E575A84255B6E7DC699F7327CB9D4C9
              Malicious:false
              Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. S.e.p. .. 2.7. .. 2.0.2.4. .0.2.:.4.2.:.5.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.759749395597716
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:#U0110#U1eb7t h#U00e0ng.exe
              File size:753'152 bytes
              MD5:f02a7d343b0827be9bebee347d4b81eb
              SHA1:db7f73bf065dc3fb344d34c1e8292d731b3db96a
              SHA256:3068f372435cd29582de3a4a6f37f37aa6bec7750dd789b67c050173af33a75b
              SHA512:00815ab396eb202f32334aa98209f492d9aa7a4ef803964689d3868be94901d3bb6c39d8293744a8c1e7b9b11bafc33688e6914b3edfb43cc224998ad10a3013
              SSDEEP:12288:FBIrMVLGQ1IsDB4Gc/ICrtiXQ1JA6uC9I8U/I+hLXQh/xKdHI6WhMJcVs2O7Sljm:FirSPcwWtiN6z9xUQ+5QhMd8hMkO7Ojm
              TLSH:15F4F0893F5BC520F82E0274FEA3592043E25E6691A9F05A59E23185FBF6ECFD406D13
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.f.................v............... ........@.. ....................................@................................

              File Icon

              Icon Hash:e0ca09002b030300

              Static PE Info

              General

              Entrypoint:0x4a94ce
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66F6241B [Fri Sep 27 03:18:51 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa94740x57.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x10400.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xa74d40xa760037aed938b04a330dc486eb816c70fad2False0.9639554354929052data7.957791733986186IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xaa0000x104000x10400d4eef784edddb9bc6bedeb378ce7198aFalse0.047776442307692304data2.406829058121341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xbc0000xc0x20033681364f3747b807fb359f1de678aa7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xaa1300xfca4Device independent bitmap graphic, 109 x 286 x 32, image size 62348, resolution 3779 x 3779 px/m0.036520502195559405
              RT_GROUP_ICON0xb9dd40x14data1.1
              RT_VERSION0xb9de80x32cdata0.42857142857142855
              RT_MANIFEST0xba1140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2024 08:42:37.780309916 CEST5356740162.159.36.2192.168.2.8
              Sep 27, 2024 08:42:38.249974012 CEST5136353192.168.2.81.1.1.1
              Sep 27, 2024 08:42:38.257040024 CEST53513631.1.1.1192.168.2.8

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Sep 27, 2024 08:42:38.249974012 CEST192.168.2.81.1.1.10x2d38Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Sep 27, 2024 08:42:38.257040024 CEST1.1.1.1192.168.2.80x2d38Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:02:42:05
              Start date:27/09/2024
              Path:C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
              Imagebase:0x930000
              File size:753'152 bytes
              MD5 hash:F02A7D343B0827BE9BEBEE347D4B81EB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:02:42:06
              Start date:27/09/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
              Imagebase:0x9e0000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:02:42:06
              Start date:27/09/2024
              Path:C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\#U0110#U1eb7t h#U00e0ng.exe"
              Imagebase:0xa60000
              File size:753'152 bytes
              MD5 hash:F02A7D343B0827BE9BEBEE347D4B81EB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1551664780.00000000013A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:02:42:06
              Start date:27/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6ee680000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:02:42:50
              Start date:27/09/2024
              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
              Imagebase:0x7ff743de0000
              File size:468'120 bytes
              MD5 hash:B3676839B2EE96983F9ED735CD044159
              Has elevated privileges:true
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:8
              Start time:02:42:50
              Start date:27/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6ee680000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:9.8%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:36
                Total number of Limit Nodes:1
                execution_graph 8938 5341df0 8939 5341e58 CreateWindowExW 8938->8939 8941 5341f14 8939->8941 8941->8941 8942 5341fa8 8943 5341fce 8942->8943 8946 5340bac 8943->8946 8947 5340bb7 8946->8947 8948 5342d79 8947->8948 8950 5342d69 8947->8950 8951 5342d77 8948->8951 8971 5340cd4 8948->8971 8955 5342ea0 8950->8955 8960 5342f6c 8950->8960 8966 5342e91 8950->8966 8951->8951 8957 5342eb4 8955->8957 8956 5342f40 8956->8951 8975 5342f47 8957->8975 8978 5342f58 8957->8978 8961 5342f2a 8960->8961 8962 5342f7a 8960->8962 8964 5342f47 CallWindowProcW 8961->8964 8965 5342f58 CallWindowProcW 8961->8965 8963 5342f40 8963->8951 8964->8963 8965->8963 8968 5342eb4 8966->8968 8967 5342f40 8967->8951 8969 5342f47 CallWindowProcW 8968->8969 8970 5342f58 CallWindowProcW 8968->8970 8969->8967 8970->8967 8972 5340cdf 8971->8972 8973 534445a CallWindowProcW 8972->8973 8974 5344409 8972->8974 8973->8974 8974->8951 8976 5342f69 8975->8976 8981 5344392 8975->8981 8976->8956 8979 5342f69 8978->8979 8980 5344392 CallWindowProcW 8978->8980 8979->8956 8980->8979 8982 5340cd4 CallWindowProcW 8981->8982 8983 53443aa 8982->8983 8983->8976

                Executed Functions

                Function 05341DE5 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 5341de5-5341e56 1 5341e61-5341e68 0->1 2 5341e58-5341e5e 0->2 3 5341e73-5341eab 1->3 4 5341e6a-5341e70 1->4 2->1 5 5341eb3-5341f12 CreateWindowExW 3->5 4->3 6 5341f14-5341f1a 5->6 7 5341f1b-5341f53 5->7 6->7 11 5341f55-5341f58 7->11 12 5341f60 7->12 11->12 13 5341f61 12->13 13->13
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05341F02
                Memory Dump Source
                • Source File: 00000000.00000002.1464935362.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5340000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 73382654abf419cf7c3c51bb7176a6af8fdc0a933099100693ff59691a2614c5
                • Instruction ID: d8acbbd2dc92700e22e492ee167f11dd46aaafe1e2f470ece84857c9fc4e8642
                • Opcode Fuzzy Hash: 73382654abf419cf7c3c51bb7176a6af8fdc0a933099100693ff59691a2614c5
                • Instruction Fuzzy Hash: E051C3B5D14349DFDB14CFA9C884ADEBBF5BF48310F24822AE419AB210D775A985CF90
                Function 05341DF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 14 5341df0-5341e56 15 5341e61-5341e68 14->15 16 5341e58-5341e5e 14->16 17 5341e73-5341f12 CreateWindowExW 15->17 18 5341e6a-5341e70 15->18 16->15 20 5341f14-5341f1a 17->20 21 5341f1b-5341f53 17->21 18->17 20->21 25 5341f55-5341f58 21->25 26 5341f60 21->26 25->26 27 5341f61 26->27 27->27
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05341F02
                Memory Dump Source
                • Source File: 00000000.00000002.1464935362.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5340000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 73a9044698eae80a0ed1dbc24d906f9e2b874dcaa9694cd41aef9277aca84284
                • Instruction ID: bda784d7683fa9f5e1897ce61e24d64e2961e4ad39d7840484802f41c8b4c3ac
                • Opcode Fuzzy Hash: 73a9044698eae80a0ed1dbc24d906f9e2b874dcaa9694cd41aef9277aca84284
                • Instruction Fuzzy Hash: AB41B3B5D10349DFDB14CFA9C884ADEBBF5BF48310F24812AE419AB210D775A885CF90
                Function 05340CD4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 28 5340cd4-53443fc 31 5344402-5344407 28->31 32 53444ac-53444cc call 5340bac 28->32 34 5344409-5344440 31->34 35 534445a-5344492 CallWindowProcW 31->35 40 53444cf-53444dc 32->40 41 5344442-5344448 34->41 42 5344449-5344458 34->42 36 5344494-534449a 35->36 37 534449b-53444aa 35->37 36->37 37->40 41->42 42->40
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05344481
                Memory Dump Source
                • Source File: 00000000.00000002.1464935362.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5340000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: 6fb8182e9166932022ec821a9bc144bbd6c6429294ee2c34b843c73dcf68227f
                • Instruction ID: 7a24070645213ce719933a8634dd25db022b043e9b941803da202451d5f9dc80
                • Opcode Fuzzy Hash: 6fb8182e9166932022ec821a9bc144bbd6c6429294ee2c34b843c73dcf68227f
                • Instruction Fuzzy Hash: 394115B8A003059FDB14CF99C488BAABBF5FF88314F24C459E519AB321D774A841CFA0

                Non-executed Functions

                Function 05340130 Relevance: .3, Instructions: 315COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1464935362.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5340000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1681af68085eccd0279c863ac983d10a61ff5618cda964bbe0bdba3e2ef3ed1f
                • Instruction ID: c6f50c0f1b765190cb0a429a383d7df90579576e97b58d81875a3b4a765136dc
                • Opcode Fuzzy Hash: 1681af68085eccd0279c863ac983d10a61ff5618cda964bbe0bdba3e2ef3ed1f
                • Instruction Fuzzy Hash: 0F1270F0401B4A8BE730CF65F94C2897BB1BB85728B904709D2696F2E9DBB9154BCF44
                Function 05340120 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1464935362.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5340000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e2da6e3b886fceb197950427645e6aed0792f78ade277f5c33336c3585a84c94
                • Instruction ID: a2a18ab532b9e7897ee66ca4d4e2e561f07881e5f56accabe7084994e8c29b5d
                • Opcode Fuzzy Hash: e2da6e3b886fceb197950427645e6aed0792f78ade277f5c33336c3585a84c94
                • Instruction Fuzzy Hash: 96C1F5B080174A8FE720CF65F84C2897BB1BB85728F544709D2696B2E8DBB9158BCF44

                Execution Graph

                Execution Coverage:0.8%
                Dynamic/Decrypted Code Coverage:5.8%
                Signature Coverage:9.7%
                Total number of Nodes:103
                Total number of Limit Nodes:9
                execution_graph 84560 424fc3 84565 424fdc 84560->84565 84561 425068 84562 425027 84568 42e9a3 84562->84568 84565->84561 84565->84562 84566 425063 84565->84566 84567 42e9a3 RtlFreeHeap 84566->84567 84567->84561 84571 42cc33 84568->84571 84570 425033 84572 42cc50 84571->84572 84573 42cc61 RtlFreeHeap 84572->84573 84573->84570 84574 42fb63 84575 42fb73 84574->84575 84576 42fb79 84574->84576 84579 42ea83 84576->84579 84578 42fb9f 84582 42cbe3 84579->84582 84581 42ea9e 84581->84578 84583 42cc00 84582->84583 84584 42cc11 RtlAllocateHeap 84583->84584 84584->84581 84585 42be83 84586 42be9d 84585->84586 84589 14f2df0 LdrInitializeThunk 84586->84589 84587 42bec5 84589->84587 84661 42fc93 84662 42fc03 84661->84662 84663 42ea83 RtlAllocateHeap 84662->84663 84664 42fc60 84662->84664 84665 42fc3d 84663->84665 84666 42e9a3 RtlFreeHeap 84665->84666 84666->84664 84667 424c33 84668 424c4f 84667->84668 84669 424c77 84668->84669 84670 424c8b 84668->84670 84671 42c8b3 NtClose 84669->84671 84672 42c8b3 NtClose 84670->84672 84673 424c80 84671->84673 84674 424c94 84672->84674 84677 42eac3 RtlAllocateHeap 84674->84677 84676 424c9f 84677->84676 84590 417983 84591 4179a7 84590->84591 84592 4179e3 LdrLoadDll 84591->84592 84593 4179ae 84591->84593 84592->84593 84678 413e53 84680 413e73 84678->84680 84681 413edc 84680->84681 84683 41b613 RtlFreeHeap LdrInitializeThunk 84680->84683 84682 413ed2 84683->84682 84684 413c73 84687 42cb43 84684->84687 84688 42cb5d 84687->84688 84691 14f2c70 LdrInitializeThunk 84688->84691 84689 413c95 84691->84689 84594 401be3 84595 401be9 84594->84595 84596 401b78 84594->84596 84599 430033 84596->84599 84602 42e553 84599->84602 84603 42e579 84602->84603 84612 407523 84603->84612 84605 42e58f 84606 401bda 84605->84606 84615 41b303 84605->84615 84608 42e5ae 84609 42e5c3 84608->84609 84610 42cc83 ExitProcess 84608->84610 84626 42cc83 84609->84626 84610->84609 84629 416643 84612->84629 84614 407530 84614->84605 84616 41b32f 84615->84616 84647 41b1f3 84616->84647 84619 41b374 84621 41b390 84619->84621 84624 42c8b3 NtClose 84619->84624 84620 41b35c 84622 41b367 84620->84622 84653 42c8b3 84620->84653 84621->84608 84622->84608 84625 41b386 84624->84625 84625->84608 84627 42cc9d 84626->84627 84628 42ccae ExitProcess 84627->84628 84628->84606 84630 416660 84629->84630 84632 416679 84630->84632 84633 42d313 84630->84633 84632->84614 84635 42d32d 84633->84635 84634 42d35c 84634->84632 84635->84634 84640 42bed3 84635->84640 84638 42e9a3 RtlFreeHeap 84639 42d3d5 84638->84639 84639->84632 84641 42bef0 84640->84641 84644 14f2c0a 84641->84644 84642 42bf1c 84642->84638 84645 14f2c1f LdrInitializeThunk 84644->84645 84646 14f2c11 84644->84646 84645->84642 84646->84642 84648 41b2e9 84647->84648 84649 41b20d 84647->84649 84648->84619 84648->84620 84656 42bf73 84649->84656 84652 42c8b3 NtClose 84652->84648 84654 42c8cd 84653->84654 84655 42c8de NtClose 84654->84655 84655->84622 84657 42bf90 84656->84657 84660 14f35c0 LdrInitializeThunk 84657->84660 84658 41b2dd 84658->84652 84660->84658

                Executed Functions

                Function 00417983 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 27 417983-41799f 28 4179a7-4179ac 27->28 29 4179a2 call 42f6a3 27->29 30 4179b2-4179c0 call 42fca3 28->30 31 4179ae-4179b1 28->31 29->28 34 4179d0-4179e1 call 42e023 30->34 35 4179c2-4179cd call 42ff43 30->35 40 4179e3-4179f7 LdrLoadDll 34->40 41 4179fa-4179fd 34->41 35->34 40->41
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004179F5
                Memory Dump Source
                • Source File: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_#U0110#U1eb7t h#U00e0ng.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 352a911c7d75b054859a4398694d1711e84ed81b6f2a009f0faaad9a1ff4d0c8
                • Instruction ID: c7a968f45a459e0633ba3b3c9d85e8edd550cd31cb490a104a89d8a481d041c1
                • Opcode Fuzzy Hash: 352a911c7d75b054859a4398694d1711e84ed81b6f2a009f0faaad9a1ff4d0c8
                • Instruction Fuzzy Hash: BA0152B5E0010DA7DB10DAA5DC42FDEB3789B14308F4041A6E90897240F635EB588B95
                Function 0042C8B3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 52 42c8b3-42c8ec call 404843 call 42db13 NtClose
                APIs
                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C8E7
                Memory Dump Source
                • Source File: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_#U0110#U1eb7t h#U00e0ng.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 1f2e55867fb49e0edbdfca481a993cadd69b59c11f28a48fb14a12efc8519f18
                • Instruction ID: d5d408aa627ccc7809f1817482fdcd7888bd1ae54e0b5777c1bc992e71757020
                • Opcode Fuzzy Hash: 1f2e55867fb49e0edbdfca481a993cadd69b59c11f28a48fb14a12efc8519f18
                • Instruction Fuzzy Hash: 95E04F363002147BDA20BA5ADC41FDB775CDBC9754F004419FB0DA7282D670BA0086E5
                Function 014F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 67 14f2df0-14f2dfc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                • Instruction ID: 29a533a705252cf03705c4bfd28e396fc283f9f2868ec48b525b71b6c979d548
                • Opcode Fuzzy Hash: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                • Instruction Fuzzy Hash: 0190023160180453D11271984504B070049A7D0251F99C812A042499CDD6968A92A221
                Function 014F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 66 14f2c70-14f2c7c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                • Instruction ID: 2f0bf10be758f64fdd76abde4a235edf02022ae2cc8f679ef5eb13e78d76443b
                • Opcode Fuzzy Hash: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                • Instruction Fuzzy Hash: E890023160188842D11171988404B4A0045A7D0311F5DC811A4424A9CDC6D589D17221
                Function 014F35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 68 14f35c0-14f35cc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b83c988a2980b3ed637095052300fb9f8057a7bf092e520abc52ddd553c41f20
                • Instruction ID: 1faeec559c12745f30956bb5caf7ea1cb7e69fe82825fa3670acc4ce0d3a3985
                • Opcode Fuzzy Hash: b83c988a2980b3ed637095052300fb9f8057a7bf092e520abc52ddd553c41f20
                • Instruction Fuzzy Hash: 09900231A0590442D10171984514B061045A7D0211F69C811A04249ACDC7D58A9166A2
                Function 0042CBE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 42 42cbe3-42cc27 call 404843 call 42db13 RtlAllocateHeap
                APIs
                • RtlAllocateHeap.NTDLL(?,0041E7BE,?,?,00000000,?,0041E7BE,?,?,?), ref: 0042CC22
                Memory Dump Source
                • Source File: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_#U0110#U1eb7t h#U00e0ng.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: b6deca932c6654ca86d4eb412088f9019d810c86403fd3c820abf9ad62f2039c
                • Instruction ID: 1503fd3026b6a6c884018fb1076d2efb6d6f5d3df5eecbcf58bdfa754225d855
                • Opcode Fuzzy Hash: b6deca932c6654ca86d4eb412088f9019d810c86403fd3c820abf9ad62f2039c
                • Instruction Fuzzy Hash: B7E06D762042047BDA10EE59DC41FDB37ACEFC8714F004419FE08A7241E770B9108AB8
                Function 0042CC33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 47 42cc33-42cc77 call 404843 call 42db13 RtlFreeHeap
                APIs
                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,C4830C75,00000007,00000000,00000004,00000000,0041720F,000000F4), ref: 0042CC72
                Memory Dump Source
                • Source File: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_#U0110#U1eb7t h#U00e0ng.jbxd
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 38eafd8a1ea63597223e5a1425a7c26f04ed257e1e495f63d6fb01429785e211
                • Instruction ID: 1c873b0a11d26d802b22e0b7b45bc634ffb0764c5d8b412d7deec3f1fea9b478
                • Opcode Fuzzy Hash: 38eafd8a1ea63597223e5a1425a7c26f04ed257e1e495f63d6fb01429785e211
                • Instruction Fuzzy Hash: 8AE06D763002057BD610EE59EC41EAB77ACEFC8714F104429FE08A7282DA70B9108BB8
                Function 0042CC83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 57 42cc83-42ccbc call 404843 call 42db13 ExitProcess
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_#U0110#U1eb7t h#U00e0ng.jbxd
                Yara matches
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: 657fc2068f50c85c9734239eb842ba7256170667a099f2beb8aaa4f4faf4d97b
                • Instruction ID: ed91766b2cb9a97b247fab496e5ef85578791cc222d617aa0471655d34f62498
                • Opcode Fuzzy Hash: 657fc2068f50c85c9734239eb842ba7256170667a099f2beb8aaa4f4faf4d97b
                • Instruction Fuzzy Hash: 0DE04F763002147BD620EA5ADC42F97775CDFC5714F004429FA0CA7286D674BA0086B4
                Function 014F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 62 14f2c0a-14f2c0f 63 14f2c1f-14f2c26 LdrInitializeThunk 62->63 64 14f2c11-14f2c18 62->64
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                • Instruction ID: 4540d13d4d0c05d6f88e8037061970199dd5d3f0be26752b31dfaf05d4b2c75a
                • Opcode Fuzzy Hash: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                • Instruction Fuzzy Hash: E7B09B71D019C5C5DA12E7A44608F177940B7D0711F19C466D3030696F8778C1D1E275

                Non-executed Functions

                Function 01568D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                • *** enter .exr %p for the exception record, xrefs: 01568FA1
                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01568DB5
                • The resource is owned shared by %d threads, xrefs: 01568E2E
                • The instruction at %p referenced memory at %p., xrefs: 01568EE2
                • a NULL pointer, xrefs: 01568F90
                • *** Resource timeout (%p) in %ws:%s, xrefs: 01568E02
                • *** enter .cxr %p for the context, xrefs: 01568FBD
                • The instruction at %p tried to %s , xrefs: 01568F66
                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01568F2D
                • Go determine why that thread has not released the critical section., xrefs: 01568E75
                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01568E4B
                • The critical section is owned by thread %p., xrefs: 01568E69
                • write to, xrefs: 01568F56
                • <unknown>, xrefs: 01568D2E, 01568D81, 01568E00, 01568E49, 01568EC7, 01568F3E
                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01568E86
                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01568E3F
                • an invalid address, %p, xrefs: 01568F7F
                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01568F34
                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01568F26
                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01568DC4
                • read from, xrefs: 01568F5D, 01568F62
                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01568FEF
                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01568DD3
                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01568DA3
                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01568D8C
                • *** Inpage error in %ws:%s, xrefs: 01568EC8
                • *** then kb to get the faulting stack, xrefs: 01568FCC
                • *** An Access Violation occurred in %ws:%s, xrefs: 01568F3F
                • The resource is owned exclusively by thread %p, xrefs: 01568E24
                • This failed because of error %Ix., xrefs: 01568EF6
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                • API String ID: 0-108210295
                • Opcode ID: 4df1eab6bc460d1f3c56e3dd24906683edf3fa758c7312b5342b3bec467703c7
                • Instruction ID: 09ea417da8c7c1e9d47e2232ac028e28a48268933519f1792dd912c52da6eda8
                • Opcode Fuzzy Hash: 4df1eab6bc460d1f3c56e3dd24906683edf3fa758c7312b5342b3bec467703c7
                • Instruction Fuzzy Hash: A881C275A40311FFDB219E198C49D6F7B79FFA6B14F86004AF214AF262F3758811C6A2
                Function 01532349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                • API String ID: 0-2160512332
                • Opcode ID: 1f405af8056d99000b04a42a8de3da7cd01f0a1995dbed0f7fb8fa5e37a12632
                • Instruction ID: 4c406c08f923a0f85723ac66ccfadb8ca031e77243f1cbced077ec4714eee2ed
                • Opcode Fuzzy Hash: 1f405af8056d99000b04a42a8de3da7cd01f0a1995dbed0f7fb8fa5e37a12632
                • Instruction Fuzzy Hash: E0927E71608742AFE721CF29C840B6BBBE8BBD4754F04491EFA94DB261D770E845CB92
                Function 014E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                Download Yara Rule
                Strings
                • Address of the debug info found in the active list., xrefs: 015254AE, 015254FA
                • Thread identifier, xrefs: 0152553A
                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015254CE
                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0152540A, 01525496, 01525519
                • Critical section debug info address, xrefs: 0152541F, 0152552E
                • Invalid debug info address of this critical section, xrefs: 015254B6
                • Critical section address., xrefs: 01525502
                • corrupted critical section, xrefs: 015254C2
                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015254E2
                • double initialized or corrupted critical section, xrefs: 01525508
                • 8, xrefs: 015252E3
                • Critical section address, xrefs: 01525425, 015254BC, 01525534
                • undeleted critical section in freed memory, xrefs: 0152542B
                • Thread is in a state in which it cannot own a critical section, xrefs: 01525543
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                • API String ID: 0-2368682639
                • Opcode ID: 1f1ebe1681397304dd7f453e470f49ed0a0c762622ce99515ef611eba2d05e8e
                • Instruction ID: 4757d3110abf6e3d2ec780d20ef9b62ac82a079c31db9d7d060cecfb925c442e
                • Opcode Fuzzy Hash: 1f1ebe1681397304dd7f453e470f49ed0a0c762622ce99515ef611eba2d05e8e
                • Instruction Fuzzy Hash: 68819F71A40359AFDF20CF99C845BEEBBF5BB19714F20411AF504BB2A0E371A945CB90
                Function 014E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                Download Yara Rule
                Strings
                • @, xrefs: 0152259B
                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015225EB
                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01522498
                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015224C0
                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01522412
                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01522506
                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015222E4
                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01522409
                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01522602
                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01522624
                • RtlpResolveAssemblyStorageMapEntry, xrefs: 0152261F
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                • API String ID: 0-4009184096
                • Opcode ID: 24aa5128e70df68a80a20d9ffa921cec6db0b7f9e1ff4c34d89b15794be447a5
                • Instruction ID: 316fabe0d7de17b0275001e85ffe3bc403bff7e9a721470cafd7c08422de086f
                • Opcode Fuzzy Hash: 24aa5128e70df68a80a20d9ffa921cec6db0b7f9e1ff4c34d89b15794be447a5
                • Instruction Fuzzy Hash: 720290B6D002299BDB31CB54CC84B9EB7B8BF55304F4041DAE609AB291DB70AF84CF59
                Function 01558B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                • API String ID: 0-2515994595
                • Opcode ID: 7ba339c19f46c7869bb3ecefa003b5b17043a633c3100be05a885c37dd1fd5ea
                • Instruction ID: a191b3d05d0f13111d60347dd341646510478199e4ea108f959d40c631cb1998
                • Opcode Fuzzy Hash: 7ba339c19f46c7869bb3ecefa003b5b17043a633c3100be05a885c37dd1fd5ea
                • Instruction Fuzzy Hash: BE51C0711143059BD365DF1AC864BAFBBE8FF94240F24491FAE55CB250E770D604C792
                Function 014CAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                • API String ID: 0-3197712848
                • Opcode ID: 1592d3fa5d2c63053ec626128375256ae494d7bba340bac8b81eba61cf6119b8
                • Instruction ID: 51f91085abcfc16be633f1900a75681e87944e69830a95ec085dcfa9ebe6da45
                • Opcode Fuzzy Hash: 1592d3fa5d2c63053ec626128375256ae494d7bba340bac8b81eba61cf6119b8
                • Instruction Fuzzy Hash: 6C1212756083468FE361DF19C851BABB7E0FF94B54F18091EF9858B2A1E730D905CB92
                Function 01560274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                • API String ID: 0-1700792311
                • Opcode ID: 125261fccfd74e807be6003550a9ef5d9777052ce3454cc110f7e143f5acbf7d
                • Instruction ID: 46c0b1e2e57a122638e53954e0617058453d1fb39b7e02f113b42b591dcdea47
                • Opcode Fuzzy Hash: 125261fccfd74e807be6003550a9ef5d9777052ce3454cc110f7e143f5acbf7d
                • Instruction Fuzzy Hash: 54D1FF31600286DFDB22DFA9C440AADBBF9FF69700F59805AF4459F2A2C774D981CB90
                Function 014BADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                • API String ID: 0-664215390
                • Opcode ID: 244cc8918bb56fcbebafac32c589ab8817ec077588b287c968df5deb45e1e96f
                • Instruction ID: 10e1b3e06d34518c807d0b9a317cd81f7edc726e327187429c547c679a4f4f88
                • Opcode Fuzzy Hash: 244cc8918bb56fcbebafac32c589ab8817ec077588b287c968df5deb45e1e96f
                • Instruction Fuzzy Hash: 203293719002698BEB26CF18C898BEEB7B5FF44350F1441EAD849AB361D7719E81CF60
                Function 015389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                Download Yara Rule
                Strings
                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01538A3D
                • AVRF: -*- final list of providers -*- , xrefs: 01538B8F
                • VerifierDebug, xrefs: 01538CA5
                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01538A67
                • VerifierFlags, xrefs: 01538C50
                • HandleTraces, xrefs: 01538C8F
                • VerifierDlls, xrefs: 01538CBD
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                • API String ID: 0-3223716464
                • Opcode ID: fbae44722612372bf897c9ca092ec5e3f120b18e5ff930c6e73e16ea35a8218a
                • Instruction ID: 35535e58dc6de5e31ae04d52a4e74a1a1348ef1fc4db4dd3b6691514be4ec978
                • Opcode Fuzzy Hash: fbae44722612372bf897c9ca092ec5e3f120b18e5ff930c6e73e16ea35a8218a
                • Instruction Fuzzy Hash: 589134B1681306AFD726DF69C890F5A7BE4BFE0B14F860A1DFA506F250D7709C058791
                Function 01534DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                Download Yara Rule
                Strings
                • LdrpGenericExceptionFilter, xrefs: 01534DFC
                • ***Exception thrown within loader***, xrefs: 01534E27
                • Execute '.cxr %p' to dump context, xrefs: 01534EB1
                • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 01534DF5
                • minkernel\ntdll\ldrutil.c, xrefs: 01534E06
                • LdrpProtectedCopyMemory, xrefs: 01534DF4
                • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 01534E38
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                • API String ID: 0-2973941816
                • Opcode ID: 60d5647159c23722cd7323b8003a5d875b006644caef47811f15e8031bffdef2
                • Instruction ID: 4eaf95c49fd48e2f4d0e37d51fa4289c432afb171dc4eaaef474889a1f29fd24
                • Opcode Fuzzy Hash: 60d5647159c23722cd7323b8003a5d875b006644caef47811f15e8031bffdef2
                • Instruction Fuzzy Hash: 04215E721881027FEB289A6DCC45D3A7F9CFBD29A4F24050AF2219F5B1C670DE01E232
                Function 014BEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                • API String ID: 0-1109411897
                • Opcode ID: e5deb6f294a3aa03826dadb64b7a0d540d03e86df8e72abf9042c6c2e81ad2cc
                • Instruction ID: eb5fde9b9f1b055082a865fdd1d233b5e4ee776d76c813ce22401d90c1aaf994
                • Opcode Fuzzy Hash: e5deb6f294a3aa03826dadb64b7a0d540d03e86df8e72abf9042c6c2e81ad2cc
                • Instruction Fuzzy Hash: C1A23B74A0562A8BEB65CF19CC887EDBBB5BB45304F1442EAD50DAB364DB309E85CF10
                Function 014E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                • API String ID: 0-792281065
                • Opcode ID: 06e45c985ab9d1ad1506924c965b5d2599983c0b2a174b432f68ec567451384c
                • Instruction ID: af3658c560d412eaaf17bc8cba4bf8a082f15f9a5484a6b4ec4a389a92ed30fe
                • Opcode Fuzzy Hash: 06e45c985ab9d1ad1506924c965b5d2599983c0b2a174b432f68ec567451384c
                • Instruction Fuzzy Hash: 0D912731B403269BEB25DF59D848BAE7BE1BF62B14F56012ED5106F2E1D7B09801C794
                Function 014A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                Download Yara Rule
                Strings
                • LdrpInitShimEngine, xrefs: 015099F4, 01509A07, 01509A30
                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015099ED
                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01509A01
                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01509A2A
                • minkernel\ntdll\ldrinit.c, xrefs: 01509A11, 01509A3A
                • apphelp.dll, xrefs: 014A6496
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                • API String ID: 0-204845295
                • Opcode ID: 44bd140fc4a1dc25cb1946f947688682cdde4a72fa4d2e276be36fb8e89bca55
                • Instruction ID: 7a2a334c91657c76abbfc52a6a3923b25d837af494f26e36accb7b21e1169412
                • Opcode Fuzzy Hash: 44bd140fc4a1dc25cb1946f947688682cdde4a72fa4d2e276be36fb8e89bca55
                • Instruction Fuzzy Hash: 375111312483009FD721DF24C841FABBBE8FB94648F86091EF5999B1B5D770E944CB92
                Function 014E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                Download Yara Rule
                Strings
                • SXS: %s() passed the empty activation context, xrefs: 01522165
                • RtlGetAssemblyStorageRoot, xrefs: 01522160, 0152219A, 015221BA
                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015221BF
                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01522178
                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01522180
                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0152219F
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                • API String ID: 0-861424205
                • Opcode ID: ae411df427e57634da3db784acd7a76dfc70c059a9984c127c651c49c20b756e
                • Instruction ID: 988f5b77da39e4489ee4c14a288a47bdb4192b037a467266880713f93cb3ef1b
                • Opcode Fuzzy Hash: ae411df427e57634da3db784acd7a76dfc70c059a9984c127c651c49c20b756e
                • Instruction Fuzzy Hash: 82310B3BF4022577FB119A958C45F6B7BACEB95A51F15005BFA04AF260D2B09A01C7A1
                Function 014EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                Download Yara Rule
                Strings
                • LdrpInitializeImportRedirection, xrefs: 01528177, 015281EB
                • minkernel\ntdll\ldrredirect.c, xrefs: 01528181, 015281F5
                • Loading import redirection DLL: '%wZ', xrefs: 01528170
                • Unable to build import redirection Table, Status = 0x%x, xrefs: 015281E5
                • minkernel\ntdll\ldrinit.c, xrefs: 014EC6C3
                • LdrpInitializeProcess, xrefs: 014EC6C4
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                • API String ID: 0-475462383
                • Opcode ID: dfc3ad8bd314b103bd41d74a380750dfee8ad298fa311c5b53ffb9bdde6944a5
                • Instruction ID: 4113149b68e8aa43a50511e00896419f5a9e77528e738f2269fdc6ed1a58dcf0
                • Opcode Fuzzy Hash: dfc3ad8bd314b103bd41d74a380750dfee8ad298fa311c5b53ffb9bdde6944a5
                • Instruction Fuzzy Hash: CB3104726443529FC220EF29D846E2BBBD5FFA5B14F05051DF9446F2A1D670EC04CBA2
                Function 014F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 014F2DF0: LdrInitializeThunk.NTDLL ref: 014F2DFA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BA3
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BB6
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D60
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D74
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                • String ID:
                • API String ID: 1404860816-0
                • Opcode ID: 5a33f72d0192f2cbb0170173f260bd434c06052839f823a0fea0d6a3b683e158
                • Instruction ID: 2f3dd6687f80b235cd611f87d1741c1b5292f1b1cc97a83231e146d193e5dbd5
                • Opcode Fuzzy Hash: 5a33f72d0192f2cbb0170173f260bd434c06052839f823a0fea0d6a3b683e158
                • Instruction Fuzzy Hash: 25425A72900715DFDB21CF28C880BAAB7F5BF54314F1445AEEA899B352D770AA85CF60
                Function 014BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                • API String ID: 0-379654539
                • Opcode ID: 6536af59ae7c172f8b0d87d01e332dfe27947a0c5a5f5038051f96e88fa36357
                • Instruction ID: 7cfd1c74f7df09678596eec73d3c170da16ca3a5d613304c8a26a71573ad5da7
                • Opcode Fuzzy Hash: 6536af59ae7c172f8b0d87d01e332dfe27947a0c5a5f5038051f96e88fa36357
                • Instruction Fuzzy Hash: DAC19D74108386DFD711CF58C184BAAB7E4BF84704F24496EF9958B361E738CA4ACB66
                Function 014E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                Download Yara Rule
                Strings
                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 014E855E
                • LdrpInitializeProcess, xrefs: 014E8422
                • minkernel\ntdll\ldrinit.c, xrefs: 014E8421
                • @, xrefs: 014E8591
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                • API String ID: 0-1918872054
                • Opcode ID: 1aad77aad74bf339805523154fae6bcc42d994ccb1ece7f557f49f35ef940521
                • Instruction ID: 320556a30bf2fc4826e0cf78364f900b1c97752f1956bd00e8364eb753768c0e
                • Opcode Fuzzy Hash: 1aad77aad74bf339805523154fae6bcc42d994ccb1ece7f557f49f35ef940521
                • Instruction Fuzzy Hash: DF919D71518346AFDB21DF66CC44EAFBAE8FF94644F40092FFA8496261E770D904CB62
                Function 014E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                Download Yara Rule
                Strings
                • SXS: %s() passed the empty activation context, xrefs: 015221DE
                • .Local, xrefs: 014E28D8
                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015222B6
                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015221D9, 015222B1
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                • API String ID: 0-1239276146
                • Opcode ID: 86028cb88b76fb190f2e3ef3ded78da8002c27e6859a695048ae531911b49113
                • Instruction ID: a106cbb7d796f92d1c3b282963ddf59882245475389e50ffc5c065a347cc2372
                • Opcode Fuzzy Hash: 86028cb88b76fb190f2e3ef3ded78da8002c27e6859a695048ae531911b49113
                • Instruction Fuzzy Hash: C5A1C335A00229DBDB24CF59CC88BAAB7F5BF59314F1541EAD908AB361D7709E81CF90
                Function 014E4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                Download Yara Rule
                Strings
                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01523456
                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01523437
                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0152342A
                • RtlDeactivateActivationContext, xrefs: 01523425, 01523432, 01523451
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                • API String ID: 0-1245972979
                • Opcode ID: ccd682c1db46b602762d131bec557a6a4a390d0e8a11b15be3165069a435728d
                • Instruction ID: 7ebc25b82d1ce2c18031adf7114db95c890f7855aad52b5a7fac1bfa7fcdfa18
                • Opcode Fuzzy Hash: ccd682c1db46b602762d131bec557a6a4a390d0e8a11b15be3165069a435728d
                • Instruction Fuzzy Hash: EF6113326007129FDB228F19C849B2AB7E1BB94B11F19856EE9559F3A0D734E801CBD1
                Function 014B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                Download Yara Rule
                Strings
                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015110AE
                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01510FE5
                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0151106B
                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01511028
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                • API String ID: 0-1468400865
                • Opcode ID: 1ca19d378c7792b4b3872cf5e10e074c7bd1d210c20bee784cd4556305b1c319
                • Instruction ID: f7479d910efa230ed0855deb3fffcb634093363fce32784667e7f40787f45285
                • Opcode Fuzzy Hash: 1ca19d378c7792b4b3872cf5e10e074c7bd1d210c20bee784cd4556305b1c319
                • Instruction Fuzzy Hash: D871E0B19043059FCB21DF15C8C5F9B7BA8AFA4754F41046EF9488B2A6D334D199CBE2
                Function 014E4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                Download Yara Rule
                Strings
                • Querying the active activation context failed with status 0x%08lx, xrefs: 0152365C
                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0152362F
                • LdrpFindDllActivationContext, xrefs: 01523636, 01523662
                • minkernel\ntdll\ldrsnap.c, xrefs: 01523640, 0152366C
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                • API String ID: 0-3779518884
                • Opcode ID: 368490efb33c3b4bc0704b189e48e1d9abe2aa6920a113a9c008c342091ec256
                • Instruction ID: b4677b557985aef5949c0dcfa8ea9cb15cb71ebfba1fcbfee74830255021458e
                • Opcode Fuzzy Hash: 368490efb33c3b4bc0704b189e48e1d9abe2aa6920a113a9c008c342091ec256
                • Instruction Fuzzy Hash: 9A311822D002119ADF329B0CC84DE777BE4BB46616F0E402BE608DB371D7B69C828795
                Function 014D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                Download Yara Rule
                Strings
                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0151A992
                • LdrpDynamicShimModule, xrefs: 0151A998
                • minkernel\ntdll\ldrinit.c, xrefs: 0151A9A2
                • apphelp.dll, xrefs: 014D2462
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                • API String ID: 0-176724104
                • Opcode ID: afe2dbbb77a470752d5dae123f8397a125281b6805fe2c7f45c2a4afdece8114
                • Instruction ID: c5eb1a603a95b79a8778f5af36cc6ce84c42bac0e02d1aa574fdc31ef39f833c
                • Opcode Fuzzy Hash: afe2dbbb77a470752d5dae123f8397a125281b6805fe2c7f45c2a4afdece8114
                • Instruction Fuzzy Hash: AF317D72640242ABEB339F5DC881E6EBBB5FB84704F57001EE9106F259C7B05985D740
                Function 014C29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                Download Yara Rule
                Strings
                • HEAP[%wZ]: , xrefs: 014C3255
                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014C327D
                • HEAP: , xrefs: 014C3264
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                • API String ID: 0-617086771
                • Opcode ID: 15c16cf999e09f1d2ad9009be9dc2674ce6f2b146070280338e2a4f735196f60
                • Instruction ID: 99a4074fac1f375ff425ea2c3531647d8c142905d9a8c5ebed8d86032c7be25b
                • Opcode Fuzzy Hash: 15c16cf999e09f1d2ad9009be9dc2674ce6f2b146070280338e2a4f735196f60
                • Instruction Fuzzy Hash: 7692E078A042499FDB65CF68C440BAEBBF1FF48710F14806EE859AB361D7B5A942CF50
                Function 014C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-4253913091
                • Opcode ID: 7ca310f9c4a08addd2e541f2522d1cd22059e21812fed30c11ca31ccf7046061
                • Instruction ID: 67f59ed5cc42801d05230a552e0e263aedb46d7399ac3cea2cfcff81cca9ec73
                • Opcode Fuzzy Hash: 7ca310f9c4a08addd2e541f2522d1cd22059e21812fed30c11ca31ccf7046061
                • Instruction Fuzzy Hash: 25F1C038600606DFEB26CF68C890BAAB7F5FF85700F14816EE5569B365D734E981CB90
                Function 014D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: $@
                • API String ID: 0-1077428164
                • Opcode ID: 8dc4567d53496c31a483810ff59047d9b99b9d338c17ad541efed833003e1354
                • Instruction ID: 7e5dda7da51d59dfe674d3d2b1f9bba8bc14ef8e11a1efef9ec15a0e5e870d2d
                • Opcode Fuzzy Hash: 8dc4567d53496c31a483810ff59047d9b99b9d338c17ad541efed833003e1354
                • Instruction Fuzzy Hash: 12C290716083419FEB26CF29C490BABBBE5BF88714F05892EF98987361D735D805CB52
                Function 014AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: FilterFullPath$UseFilter$\??\
                • API String ID: 0-2779062949
                • Opcode ID: cd1b4ed958f9db37d649ca709a721a4cedeb2feb8d4b70998077b215cd23247e
                • Instruction ID: 6acf9be99f6e96ac920543672bd101a97621859f7841f7af078affafde101792
                • Opcode Fuzzy Hash: cd1b4ed958f9db37d649ca709a721a4cedeb2feb8d4b70998077b215cd23247e
                • Instruction Fuzzy Hash: EEA16D319112299BDB329F64CC88BEEB7B8FF55700F1101EAEA08AB250D7359E84CF50
                Function 014D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                Download Yara Rule
                Strings
                • Failed to allocated memory for shimmed module list, xrefs: 0151A10F
                • LdrpCheckModule, xrefs: 0151A117
                • minkernel\ntdll\ldrinit.c, xrefs: 0151A121
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                • API String ID: 0-161242083
                • Opcode ID: f1d8ad60888bdd962a42757b8531de4d1835f067a3716ffa27f5213d394c88f3
                • Instruction ID: bd3b9e520d0fcd5989641f4d96397b6a44ac7cfac48cf12c131e65b8d50be14d
                • Opcode Fuzzy Hash: f1d8ad60888bdd962a42757b8531de4d1835f067a3716ffa27f5213d394c88f3
                • Instruction Fuzzy Hash: 5871F270A402069FDF2ADF69C890ABEB7F4FB84704F55402EE5169B365E330A946CB50
                Function 014C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-1334570610
                • Opcode ID: 85cf7f159f738681e15ebba6bc724e2a9795509692774b460a566cac69704593
                • Instruction ID: eaf758eecd583632b640c1d5d4814e3de91f3af478119f3762a43abd355db8d2
                • Opcode Fuzzy Hash: 85cf7f159f738681e15ebba6bc724e2a9795509692774b460a566cac69704593
                • Instruction Fuzzy Hash: 3D61C178610302DFEB69CF28C480B6ABBE1FF55B04F14855EE4558F2A6E770E881CB91
                Function 014EC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                Download Yara Rule
                Strings
                • LdrpInitializePerUserWindowsDirectory, xrefs: 015282DE
                • Failed to reallocate the system dirs string !, xrefs: 015282D7
                • minkernel\ntdll\ldrinit.c, xrefs: 015282E8
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                • API String ID: 0-1783798831
                • Opcode ID: fb4e9bce6547a1fe762f56ad22d46301fcdde5b03cec35e8d8d4c0b698c8b2f0
                • Instruction ID: 03964858199d38b8edb5b360cf3bcb645799cfb209f66cabe1623f7e43d124a5
                • Opcode Fuzzy Hash: fb4e9bce6547a1fe762f56ad22d46301fcdde5b03cec35e8d8d4c0b698c8b2f0
                • Instruction Fuzzy Hash: FA41F272584312ABC720EB69D884B5F7BE8BF65B50F46482FF9549B2A0E770D8048B91
                Function 0156C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                Download Yara Rule
                Strings
                • @, xrefs: 0156C1F1
                • PreferredUILanguages, xrefs: 0156C212
                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0156C1C5
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                • API String ID: 0-2968386058
                • Opcode ID: f458d208f417760f0c055ef082b6f321501c9274ff8160b0ad1ea4232ec25dbf
                • Instruction ID: 55c48db9d241afaf3bf525043dbdfdf8bc1ae709c3bf804b88c459a901ba9a74
                • Opcode Fuzzy Hash: f458d208f417760f0c055ef082b6f321501c9274ff8160b0ad1ea4232ec25dbf
                • Instruction Fuzzy Hash: 77416571E00209EBDF11DED9C851FEEBBBCBB24714F14406BEA85AB250D7749A44CB90
                Function 01544144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                • API String ID: 0-1373925480
                • Opcode ID: db864628aa8c68678832397fbe5a7f15e9679cd8d0385665989215daee1893bd
                • Instruction ID: e5b7f99141132102b4788105b19ee8db25133a6e9111b6efaca3f076a02780a7
                • Opcode Fuzzy Hash: db864628aa8c68678832397fbe5a7f15e9679cd8d0385665989215daee1893bd
                • Instruction Fuzzy Hash: 3741FF72A446498BEB22DFA9C844BADBBB8FFA5748F14045AD901AF791DB348901CB10
                Function 01534755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                Strings
                • minkernel\ntdll\ldrredirect.c, xrefs: 01534899
                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01534888
                • LdrpCheckRedirection, xrefs: 0153488F
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                • API String ID: 0-3154609507
                • Opcode ID: b7d3a4c5f979706ed3847d990d9b09d13fd40c96a1b71514e24e516ffccf5848
                • Instruction ID: b886f82ef08ff62db02068cd709699af99b20af390dd1947e4c6aa5ce1cd2e88
                • Opcode Fuzzy Hash: b7d3a4c5f979706ed3847d990d9b09d13fd40c96a1b71514e24e516ffccf5848
                • Instruction Fuzzy Hash: BF41AF32A146519FCB22CE69D840A2ABBE4BFC9B50B06056DED589F352E730E811CB91
                Function 014C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-2558761708
                • Opcode ID: 422efc2f8a0401ce0617cea6c5249a96079aa1afb3bcc9bcf823a3877fb77281
                • Instruction ID: 42d84bff129d789081f16dd94e2b4998bd27bc937f8099209205dfe62ead0c4f
                • Opcode Fuzzy Hash: 422efc2f8a0401ce0617cea6c5249a96079aa1afb3bcc9bcf823a3877fb77281
                • Instruction Fuzzy Hash: 9311F0393A4102DFE76ADA18C440B6AB3A4FF91A15F19801EF4068F269EB70D841C740
                Function 015320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                Download Yara Rule
                Strings
                • Process initialization failed with status 0x%08lx, xrefs: 015320F3
                • LdrpInitializationFailure, xrefs: 015320FA
                • minkernel\ntdll\ldrinit.c, xrefs: 01532104
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                • API String ID: 0-2986994758
                • Opcode ID: b51dd5491c7eb571bc0317dd940bf173bb4d8675087fc21991a4d02ba3a6145b
                • Instruction ID: 6a2fdf6efe337ec44f998b6ad8dc15cc675ab3ab0598f54b32752b40bf2920bd
                • Opcode Fuzzy Hash: b51dd5491c7eb571bc0317dd940bf173bb4d8675087fc21991a4d02ba3a6145b
                • Instruction Fuzzy Hash: CBF0C835680309BBEB24E64DCD46F9A7B68FB80B54F61005EF6006F295D6F0A504D691
                Function 014C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: #%u
                • API String ID: 48624451-232158463
                • Opcode ID: eaae58c2785a6f84fed40bb13385a0f6440fbb986538dce1ffa332e7768871d4
                • Instruction ID: 8c5737bf09bd2a5f522cc8555eddd9ec183ef035726dd8d6c3799ec55b3bcbdb
                • Opcode Fuzzy Hash: eaae58c2785a6f84fed40bb13385a0f6440fbb986538dce1ffa332e7768871d4
                • Instruction Fuzzy Hash: 72715E75A0014A9FDB01DF99C990BAEB7F8BF58704F15406AE905EB261E734ED01CBA4
                Function 014BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                Download Yara Rule
                Strings
                • LdrResSearchResource Enter, xrefs: 014BAA13
                • LdrResSearchResource Exit, xrefs: 014BAA25
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                • API String ID: 0-4066393604
                • Opcode ID: e50e83d8f6aba39855575185ddede91ad25ff80623de78a4d9fc5dfd3c3dda68
                • Instruction ID: 385c4d27573a2b018e3b9aefdebae7f2f7990825a8efeecf310b41b5432765c7
                • Opcode Fuzzy Hash: e50e83d8f6aba39855575185ddede91ad25ff80623de78a4d9fc5dfd3c3dda68
                • Instruction Fuzzy Hash: BFE18771E042159FEF22CE99C990BEEBBB9FF58310F20442AE911EB265D734D941CB60
                Function 0157A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: `$`
                • API String ID: 0-197956300
                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                • Instruction ID: 4ca8b8ef4516a435cd3e12735cb3c1ec722d655713033190ea4d1a9998c48885
                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                • Instruction Fuzzy Hash: 80C1CF312043429BEB24CF29D846B2FBBE6BFD4318F084A2DF6968B290D7B5D505CB51
                Function 0152E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: Legacy$UEFI
                • API String ID: 2994545307-634100481
                • Opcode ID: b31bddaece785337c585803df3bfe7cb457d0d5ed87f3ca85533f40abd302e5b
                • Instruction ID: f940249c69548591e07ba92c5a0826a8c5f06ced41fc0dd75ad968b5f025d416
                • Opcode Fuzzy Hash: b31bddaece785337c585803df3bfe7cb457d0d5ed87f3ca85533f40abd302e5b
                • Instruction Fuzzy Hash: 7B616D72E002299FDB14DFA9C881BAEBBF5FB55700F14442EE649EB291D771E900CB50
                Function 014BAC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                Download Yara Rule
                Strings
                • LdrpResGetMappingSize Exit, xrefs: 014BAC7C
                • LdrpResGetMappingSize Enter, xrefs: 014BAC6A
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                • API String ID: 0-1497657909
                • Opcode ID: b740a42e30087dbf96876825bbd8f3835c48ddbb8b5a5d07baa8867d1f8fe7fc
                • Instruction ID: 9b3939c7f8dbcc678a1322594a822be84ff02b5501517f4e2b6392929314f274
                • Opcode Fuzzy Hash: b740a42e30087dbf96876825bbd8f3835c48ddbb8b5a5d07baa8867d1f8fe7fc
                • Instruction Fuzzy Hash: 4161E131A002459FEB12DFADC890BEEBBB9BF54711F24052AE901AB3A0D774D942C720
                Function 014E4C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: 0$Flst
                • API String ID: 0-758220159
                • Opcode ID: e0a21e5995f2a1988145dde6369a45ee9fd15a70627413c85bc9fe5313e28ca8
                • Instruction ID: 1845b7863c5aff4fde502a618730f8be2cce3bf89067a28199941f50c5eca581
                • Opcode Fuzzy Hash: e0a21e5995f2a1988145dde6369a45ee9fd15a70627413c85bc9fe5313e28ca8
                • Instruction Fuzzy Hash: 37517BB2E002148BDF26CF99D488A6EFBF5FF44715F19802AD049DF2A1E7759946CB80
                Function 014B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                Download Yara Rule
                Strings
                • kLsE, xrefs: 014B0540
                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014B063D
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                • API String ID: 0-2547482624
                • Opcode ID: 961179469a3d411eb01b27b72c04bc8dfd50cd6f2bdf311388ad546c81c0da01
                • Instruction ID: 169e46c38418178ed2a95be6a84b49a5c85766fc457beefcd7aedab766e9a9c3
                • Opcode Fuzzy Hash: 961179469a3d411eb01b27b72c04bc8dfd50cd6f2bdf311388ad546c81c0da01
                • Instruction Fuzzy Hash: C451BB715007428BD724EF29C4806E7BBF4AF94305F10883FEAAA87761E730E545CBA2
                Function 014BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                Download Yara Rule
                Strings
                • RtlpResUltimateFallbackInfo Exit, xrefs: 014BA309
                • RtlpResUltimateFallbackInfo Enter, xrefs: 014BA2FB
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                • API String ID: 0-2876891731
                • Opcode ID: b5dee811b708dd3c608e3566c1a6c4e80468056f6c8ff099fc394039054ed61a
                • Instruction ID: e40e05d34f0f381162dc300cdee200ef58d0d5bdf797388bd8291924d82ed589
                • Opcode Fuzzy Hash: b5dee811b708dd3c608e3566c1a6c4e80468056f6c8ff099fc394039054ed61a
                • Instruction Fuzzy Hash: 0141AF30A05649DBEB12DF59C480BAE7BB4FF94700F24806AE900DF3A5E375D941CB60
                Function 014EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: Cleanup Group$Threadpool!
                • API String ID: 2994545307-4008356553
                • Opcode ID: 1270f5c3063fcabcedf61b6331a0f3057f045b0fc1d245bf04d89b9c3960e102
                • Instruction ID: d49ee98b739b474e3fe10c31a693d6b97736eda4245bf5ef7c0c346281555dd0
                • Opcode Fuzzy Hash: 1270f5c3063fcabcedf61b6331a0f3057f045b0fc1d245bf04d89b9c3960e102
                • Instruction Fuzzy Hash: 5A01ADB2240700AFD311DF24CE49B2677E8F795716F05897AA69CCB1A0E374D804CB46
                Function 014BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: MUI
                • API String ID: 0-1339004836
                • Opcode ID: 5d8bb688fcc9dd3cc9e5dfee201ecbfe27de5212d3c1f87a2a7eda452aa07400
                • Instruction ID: 3ac641dbdf9bedcdd8018d4474855d3cc4043328944170d458e6997198de93f0
                • Opcode Fuzzy Hash: 5d8bb688fcc9dd3cc9e5dfee201ecbfe27de5212d3c1f87a2a7eda452aa07400
                • Instruction Fuzzy Hash: E9826075E002199FDB25CFA9C8C07EEBBB1BF48314F1481AAD959AB361D7309D42CB60
                Function 01536420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: c9774af6418308242e2b4d15a8c38aeb7cf456ec1edb2762b49aac87621a3422
                • Instruction ID: a1bcaf6ba2fd310ed75299e13a3061643adbe994321ca4cb9da47f0c140c6d86
                • Opcode Fuzzy Hash: c9774af6418308242e2b4d15a8c38aeb7cf456ec1edb2762b49aac87621a3422
                • Instruction Fuzzy Hash: A5916271A00219BFEB21DF95CC95FAE7BB8FF54B50F154069F600AB1A0D775A900CB61
                Function 014EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: GlobalTags
                • API String ID: 0-1106856819
                • Opcode ID: 5516a4e73abdc986cc80b46e7c6660fc73e84bee5a55eb8dd00992f53f6d9f90
                • Instruction ID: 3188b069a80dd46d0f616b4d2e07e3a762e448638b8946dc15922e3d4f6e23f9
                • Opcode Fuzzy Hash: 5516a4e73abdc986cc80b46e7c6660fc73e84bee5a55eb8dd00992f53f6d9f90
                • Instruction Fuzzy Hash: EA717076E0022ACFDF28CF9DD5906ADBBF1BF59710F14812EE905AB291E7709841CB50
                Function 014CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: EXT-
                • API String ID: 0-1948896318
                • Opcode ID: 468cf280ef63ca2932d86db38c47f2c48e98f66f0ae68285431190e3236ef1b0
                • Instruction ID: c9927c52ccfe604bae69f3ffbcc217884c8ad1d75ae317650346e3a148ef7c3d
                • Opcode Fuzzy Hash: 468cf280ef63ca2932d86db38c47f2c48e98f66f0ae68285431190e3236ef1b0
                • Instruction Fuzzy Hash: 5641C17A5093029BD761DA76C840B6FBBE8AF98A04F44092FF684F7260E774D905C792
                Function 014ACDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: AlternateCodePage
                • API String ID: 0-3889302423
                • Opcode ID: bcc69d1dbca0f1dfd75036f00eb93e66a8c298c417838226932928a66668e327
                • Instruction ID: 781528d477d94a2702e847fab5d374aac2ae6e860ef8f616dcdeea6105554a94
                • Opcode Fuzzy Hash: bcc69d1dbca0f1dfd75036f00eb93e66a8c298c417838226932928a66668e327
                • Instruction Fuzzy Hash: 6B41E276D00209ABDF26DB99C881AEEBBB8FF54320F15411EE515AB2A0D7709A41CB90
                Function 0152C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: BinaryHash
                • API String ID: 0-2202222882
                • Opcode ID: 1c352825921c115f9edaa526fa57d8c187bb005b34684941d22b7027565808fe
                • Instruction ID: 233010fd1aa6017fbb8acfdaafa7a99b6ed9e0845192fd29e1e2bc1367866f4e
                • Opcode Fuzzy Hash: 1c352825921c115f9edaa526fa57d8c187bb005b34684941d22b7027565808fe
                • Instruction Fuzzy Hash: 754146F2D0052DAADB21DA50CC84FDE777CBB55714F0085A9E708AB191DB709E498FA4
                Function 01546B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: 2a9f2cc16379b4199c6e5062595a313d63de7103d4a6090de5c05ef7d543176a
                • Instruction ID: 691e4aa7f0c1c8be13e485550ceb0e3697f8c0b7da76789182fa61bb9205c090
                • Opcode Fuzzy Hash: 2a9f2cc16379b4199c6e5062595a313d63de7103d4a6090de5c05ef7d543176a
                • Instruction Fuzzy Hash: C3311831A007199BEB22CF69C854BAE7BA8EF16708F14402DE940AF292DB75DC45CB94
                Function 0152CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: BinaryName
                • API String ID: 0-215506332
                • Opcode ID: 8e18a2997071cbed2aab9d00d753d99c14139cf8a200979899886ce11001ac55
                • Instruction ID: 89eaea1803acb5bc0f4dbd8044849350882c652864046b247ed174fcbbb90a5d
                • Opcode Fuzzy Hash: 8e18a2997071cbed2aab9d00d753d99c14139cf8a200979899886ce11001ac55
                • Instruction Fuzzy Hash: AA31033790052AAFEB15DB59C851E6FBBB4FB92760F014169E905AB292D730DE00DBE0
                Function 0153892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                Strings
                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0153895E
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                • API String ID: 0-702105204
                • Opcode ID: fde12851a52c08314b567e775b8251ecaba37bfb64aa39d9576f020510084848
                • Instruction ID: d8d0775e743ac07b13e663e7ba4c7815b031c39f763dd2ebb3e791b96b953c76
                • Opcode Fuzzy Hash: fde12851a52c08314b567e775b8251ecaba37bfb64aa39d9576f020510084848
                • Instruction Fuzzy Hash: 0001F7332502119BE6296A5ADCC4E9E7BA5FFD1254B45062DF6411F161CB306845C7A2
                Function 01548158 Relevance: .6, Instructions: 617COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd3111c406f1d1bdf2bcf84a6adc000f251ee2be0740b3a44f98d6a7fd522d9d
                • Instruction ID: eccbde87813e939daf4274240110933f86c3b5e3b7fde3619993e168ab429301
                • Opcode Fuzzy Hash: bd3111c406f1d1bdf2bcf84a6adc000f251ee2be0740b3a44f98d6a7fd522d9d
                • Instruction Fuzzy Hash: D3426D75E002198FEB24CFA9C881BADBBF5BF58304F14809EE949EB252D7349985CF50
                Function 014C2840 Relevance: .6, Instructions: 605COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f46fbef4b561d1d952398651c55157a2c837190ecb5a0873c08ea0129872a96
                • Instruction ID: f5989598ba9770d0a22ad762bfa72ff5d273af42f2f626ec6d341591fb4e674e
                • Opcode Fuzzy Hash: 3f46fbef4b561d1d952398651c55157a2c837190ecb5a0873c08ea0129872a96
                • Instruction Fuzzy Hash: D8322474A007568FEB26CF69C844BBEBBF2BF84700F14451ED8469F289D7B4A842CB50
                Function 0155A118 Relevance: .6, Instructions: 591COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d900d798d51313afd49450b0f34085d7c25fb675fdb556a78f0a79deac64b1e6
                • Instruction ID: 03978feedb157566341959fe0f3de22a37daebb29365329a30923fa45a2979de
                • Opcode Fuzzy Hash: d900d798d51313afd49450b0f34085d7c25fb675fdb556a78f0a79deac64b1e6
                • Instruction Fuzzy Hash: B222C1706146618BEBA5CF2DC06077ABBF1BF44344F088A5BDD968F286E335E452CB60
                Function 014D8DBF Relevance: .6, Instructions: 554COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f1e0b5308980103d921b4f588215c37b0ddfaf6ec1891d9b7555b9fd2ea0071a
                • Instruction ID: a53276bf592da6b529fa1e6e94a0755816bd1429fdeafd7d1eb75235f68b7c52
                • Opcode Fuzzy Hash: f1e0b5308980103d921b4f588215c37b0ddfaf6ec1891d9b7555b9fd2ea0071a
                • Instruction Fuzzy Hash: 8B229070E0021ADBDF16CF99C4909BEFBF2BF48314B1480AAE9559B255E774ED42CB60
                Function 014B6A50 Relevance: .5, Instructions: 548COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 455ebc30cd12e4e582c79bc9c71e9028ca797be8da82c691e0e146bf68ec7559
                • Instruction ID: 531c4e96c0b4706a8a2999a046ece8e7bf8ecbbcd483aeb0333bbae923fe6f5b
                • Opcode Fuzzy Hash: 455ebc30cd12e4e582c79bc9c71e9028ca797be8da82c691e0e146bf68ec7559
                • Instruction Fuzzy Hash: C0329C70A04615CFDB25CF69C4C0AAEBBF1FF48310F1545AAEA55AB3A5D730E842CB60
                Function 014D4A35 Relevance: .4, Instructions: 423COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                • Instruction ID: 42d2905fc96fa46c07adcc4a85188f4a04d3d40e7a77aadd371c92b926c28829
                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                • Instruction Fuzzy Hash: 22F19271E0020A9FDF15CF99C5A0BAEBBF5BF48710F09812AE901AB764E774D842CB50
                Function 0154892B Relevance: .4, Instructions: 386COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ac60c98df281ad08768530760961e31e407778aafde28f50a4a9e7a925ef691
                • Instruction ID: 01bb53339ed9e58d198bb16378ca7da95d2a74dfb5012f1d4c832da39cbb4b59
                • Opcode Fuzzy Hash: 9ac60c98df281ad08768530760961e31e407778aafde28f50a4a9e7a925ef691
                • Instruction Fuzzy Hash: 90D1E071A0060A9FDF05CFA9C841AFEB7F1BF88318F18856AD955AB241E735E905CB60
                Function 014B65D0 Relevance: .4, Instructions: 383COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c88744b2cbbc8bf8538a366a768f1e2a7c789b2e3c211e5b2d210e8b18453dd1
                • Instruction ID: 4ea97af75ab850d1f448ea1fb161371fae8b5858633a366df1e5c5bb442d3748
                • Opcode Fuzzy Hash: c88744b2cbbc8bf8538a366a768f1e2a7c789b2e3c211e5b2d210e8b18453dd1
                • Instruction Fuzzy Hash: 16E16D75508341CFC715CF28C4D0AABBBE1BF99314F06896EE9998B361DB31E905CBA1
                Function 014A8397 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76f60b3fa9faa541b9d331a2b4d144826d8f8f2a447402ea904c91c4f224a5e9
                • Instruction ID: 2a1aec650d2dbe23714ca3e3df1fabd70d9a1b2b32a47ece701a6a820b810191
                • Opcode Fuzzy Hash: 76f60b3fa9faa541b9d331a2b4d144826d8f8f2a447402ea904c91c4f224a5e9
                • Instruction Fuzzy Hash: 3BD1E175A006079BDB15CF69CC80EBE7BB5FF64205F46422EE916DB2A0EB30D951CB60
                Function 01538243 Relevance: .3, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                • Instruction ID: 666c823b1f11cfb02e0ef5ba0a38a7f79589662670e73bb8826049fd0622775c
                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                • Instruction Fuzzy Hash: 6CB15E74A00605AFDF28DB99C940EAFBBB9BFC4304F14456DBA529B791DA34E909CB10
                Function 014C0535 Relevance: .3, Instructions: 300COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                • Instruction ID: 4a1e98d25dcb66a0ac3fe2b0eb5c003766eed422cf75a70ca94c632288bb4a67
                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                • Instruction Fuzzy Hash: 13B1E339600646DFEB16CBA8C850BBEBBF6BF94700F14415EE6529B395D730E942CB90
                Function 014D0DE1 Relevance: .3, Instructions: 295COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2463543a66aa509c6edaaf54d496e4c4f4d8fbab0b12d57a556c5a26bbab0d6a
                • Instruction ID: f52fc76e8ab5a47faa9c788fd37eaf936832bb20f727d85b5961664479245723
                • Opcode Fuzzy Hash: 2463543a66aa509c6edaaf54d496e4c4f4d8fbab0b12d57a556c5a26bbab0d6a
                • Instruction Fuzzy Hash: 5DC18C70E00249DFDF26DFA9C894AAEBBB5FF58704F10412EE515AB365E770A841CB90
                Function 014B83C0 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f6aff7a7204d9fd01659013fc8c55ba6addd687eacd54456570a03200bf701e
                • Instruction ID: cf7cde58c03545fe84b5bd329fb61fc8f4736ad086d0ecbeb4f7be6548e8903a
                • Opcode Fuzzy Hash: 6f6aff7a7204d9fd01659013fc8c55ba6addd687eacd54456570a03200bf701e
                • Instruction Fuzzy Hash: 74C15A741083418FE764DF19C484BABB7E5BF98304F44496EE9898B3A1D774E904CF62
                Function 014AC427 Relevance: .3, Instructions: 280COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e3dca18ac0865c4a2424bb75db459cca0e4d82be2d3820378f946c0809fec30c
                • Instruction ID: a79acf5f8ca07696c715080a16dccba2cb7a88f1fac2cc75b4590594d3f29c4c
                • Opcode Fuzzy Hash: e3dca18ac0865c4a2424bb75db459cca0e4d82be2d3820378f946c0809fec30c
                • Instruction Fuzzy Hash: A0B17270A002668BDB65CF59C890BADB3B5EF54700F4585EAE54AEB391DB309D86CB20
                Function 014DE5E7 Relevance: .3, Instructions: 278COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12c13d832fb4857945ae34c7c3b443d64da67583113d8a46f9201dbf87e2b440
                • Instruction ID: 2c14c355655e17e9b5e73eb0158e94e8141c7e7966d668d39ad191fc683d7ca2
                • Opcode Fuzzy Hash: 12c13d832fb4857945ae34c7c3b443d64da67583113d8a46f9201dbf87e2b440
                • Instruction Fuzzy Hash: D9A10131E04619AFEF22DB98C854FAEBBA4BB00714F05012BEA10BF2E5D7749D45CB91
                Function 014F0185 Relevance: .3, Instructions: 276COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 231b91d7c4de3fa3f926fcbc69ebcc2f1e01896e185c969d84d164837620089d
                • Instruction ID: b2c5640f664833471866fe769cf3ac2e40f19b2b54c663e6a193fac6d595e806
                • Opcode Fuzzy Hash: 231b91d7c4de3fa3f926fcbc69ebcc2f1e01896e185c969d84d164837620089d
                • Instruction Fuzzy Hash: 6BA1C471B006269FDB25DF69C490BAAB7E2FF94314F14402EEB059B3A2DB74E812C750
                Function 01584500 Relevance: .3, Instructions: 275COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 420e67a067b7f18c3f80bf878dd1695c008ba30865781120c3629526d320428d
                • Instruction ID: c29ea4637456fff3e9421aa70d171b4dc3716533247e08d41dd68d3301680af7
                • Opcode Fuzzy Hash: 420e67a067b7f18c3f80bf878dd1695c008ba30865781120c3629526d320428d
                • Instruction Fuzzy Hash: 42A1DD72A10252DFC711EF19C980B6ABBE9FF58704F45092DEA86EB660D374E901CB91
                Function 015360E0 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57b8753d29ca7364c4e0d17896b8e9a886eceb69fe20fca3deb6d1a21419adea
                • Instruction ID: 847c0171c857aa09473a773a5b7b22119685a9d9190d6140c0eae5f302bad964
                • Opcode Fuzzy Hash: 57b8753d29ca7364c4e0d17896b8e9a886eceb69fe20fca3deb6d1a21419adea
                • Instruction Fuzzy Hash: 77916F71E00216BFDF15CFA9D894BAEBBB5BB88710F15416DE610EF251D734EA009BA0
                Function 014CE3F0 Relevance: .3, Instructions: 261COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3ac8638137efed42426dec7b984aa40c1281c1966fda0fd951378cca1eb41855
                • Instruction ID: 7ee69478b40ec3438a531876bdbbf831c02593e731fde4ef953a57b8fea6be16
                • Opcode Fuzzy Hash: 3ac8638137efed42426dec7b984aa40c1281c1966fda0fd951378cca1eb41855
                • Instruction Fuzzy Hash: 5D913439A00616CBEB65DB59C440B7EBBA2FFA4B14F05406EED05AF3A4E734D902C791
                Function 01506ACC Relevance: .2, Instructions: 226COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8dd1aec1922e8414b63ba3f74ca19ba9aeedd11ace4a9cd9aaafef34d99d6716
                • Instruction ID: ee7d8c104e3b4044e486a737543d26328aa1b15059cc561eeb11a2a209aba209
                • Opcode Fuzzy Hash: 8dd1aec1922e8414b63ba3f74ca19ba9aeedd11ace4a9cd9aaafef34d99d6716
                • Instruction Fuzzy Hash: 0281A5B1E006169FDB25CFA9C840ABEBBF9FB58700F04852EE545DB680E734D950CBA4
                Function 0157AB40 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                • Instruction ID: 906b8ed670be6033c9dfce60f992a3ab72561d76ff8db7884ce8fbffde4675c2
                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                • Instruction Fuzzy Hash: D1817072A0020A9FDF19CF99D891AAEBBF6FF84310F188569E9169F345D734E901CB50
                Function 014A6D10 Relevance: .2, Instructions: 216COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1344991bd3c11b43af20812fb76ca3aeec20c15007c3607bccf860ffdf4ba4d6
                • Instruction ID: eb0630c808cb95552e10415383dd4af0aec51a6791ed9a8ee9cda787d4571fcf
                • Opcode Fuzzy Hash: 1344991bd3c11b43af20812fb76ca3aeec20c15007c3607bccf860ffdf4ba4d6
                • Instruction Fuzzy Hash: 6871C776A447029FDB22CF99C544B6EB7E4BB44344F05492AE959CF296D330EC84CBD2
                Function 014EE284 Relevance: .2, Instructions: 212COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c86d962c2104173f55090f5a73b3e1b68b3c2c244846f121f965d2e8fd4c890
                • Instruction ID: a854c92d673c8b75033c7533d3c644e93d64f421ff4707bc158287476bc3f891
                • Opcode Fuzzy Hash: 4c86d962c2104173f55090f5a73b3e1b68b3c2c244846f121f965d2e8fd4c890
                • Instruction Fuzzy Hash: 01815E71A00619AFDB25CFA9C884AEEBBF9FF88354F10442EE555A7360D770AC45CB60
                Function 014CC640 Relevance: .2, Instructions: 206COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 474a488102fc6869b76a96a15f9d5dfa33ed46b07d9c27708bbad8b3819dcff9
                • Instruction ID: 758845975f28787e8627caa2e67b34ae5b97bf13405fcf166e9f15c289a2b3c8
                • Opcode Fuzzy Hash: 474a488102fc6869b76a96a15f9d5dfa33ed46b07d9c27708bbad8b3819dcff9
                • Instruction Fuzzy Hash: D971DD79D0122ADFDB268F59C9907BEBBB0FF58B10F54415EE856AB364D3309805CBA0
                Function 01548D6B Relevance: .2, Instructions: 206COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cc0e403187518f959d1007a6f3ee183101e7a405f0b8feab404225bd84ab7d9
                • Instruction ID: 7d154bed209cc9fe31eb55d02008c47d0fe6247a6106ba09f5ffada7a519a802
                • Opcode Fuzzy Hash: 3cc0e403187518f959d1007a6f3ee183101e7a405f0b8feab404225bd84ab7d9
                • Instruction Fuzzy Hash: 8271C274904256AFCB15CF99C840ABEBBF1FF85308F048499E994DF211E335EA55C7A0
                Function 014C260B Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9626fa83bee85a2c97ae065f76667800d484df1df9669cc58037717aa6ed7e38
                • Instruction ID: 720551fa63d00c3efbbcac342ad4375e0f88a8d250dc4d65bff8ed3996f5f08c
                • Opcode Fuzzy Hash: 9626fa83bee85a2c97ae065f76667800d484df1df9669cc58037717aa6ed7e38
                • Instruction Fuzzy Hash: F371D2397046429FD352DF2CC480B6AB7E5FF94710F0485AEE8998B361DBB4D846CBA1
                Function 0153035C Relevance: .2, Instructions: 198COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                • Instruction ID: f7391a0c09604ee458bf00213f3670f467528f80f9f921c875f731c0c51b9a4e
                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                • Instruction Fuzzy Hash: 55716071A0061AEFDB11DFA9C984EDEBBB9FF98700F104569E505EB290DB34EA01CB50
                Function 015462A0 Relevance: .2, Instructions: 198COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3849df167d37a9bb142b28c37e16d3ae5d97eed6b03abf0792181e9fc8abbdf5
                • Instruction ID: b6421eb19b4996a3dacf1896bbe979ee2df09420b32add888735f38dc4fb08af
                • Opcode Fuzzy Hash: 3849df167d37a9bb142b28c37e16d3ae5d97eed6b03abf0792181e9fc8abbdf5
                • Instruction Fuzzy Hash: 5C71E132200B02AFEB32CF19C884F5ABBE6FB55728F15482DE6158F2A0D774E944CB50
                Function 014B8AA0 Relevance: .2, Instructions: 197COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fef33931139e045d6ec1e24177db3da8b77ab7cc966a5a033b210daf98d4ec93
                • Instruction ID: a57ba7669faaca74130468de7b64e9101e34236ebb0a88f99b5eabab4c7b9984
                • Opcode Fuzzy Hash: fef33931139e045d6ec1e24177db3da8b77ab7cc966a5a033b210daf98d4ec93
                • Instruction Fuzzy Hash: 5B81A371A08306CFEB25CF98D484BAE77B5BB48310F6A412ED9206F395D7749D41DBA0
                Function 014ECDB1 Relevance: .2, Instructions: 197COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47f0ce1e70a61282d6cf111fe34b93b96188dfb2a4727d8bee5f28527f7ac188
                • Instruction ID: bb5a716557d93ddb530ea06a6b4eccff5eefcc9365bd5dfd77ed204bf9e46def
                • Opcode Fuzzy Hash: 47f0ce1e70a61282d6cf111fe34b93b96188dfb2a4727d8bee5f28527f7ac188
                • Instruction Fuzzy Hash: 7261E172A00216DFCB19DFA8C884AAEB7F5FF59324F14416EE611EB2A1DB719901CB50
                Function 014DEDD3 Relevance: .2, Instructions: 166COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3dfba36c4cac38effab1c82697d27e900a6eaba9596eba26b1de894932358f98
                • Instruction ID: af49769b72be5712a24ee17f8108af7ac91560f0de9515548419258d940e6077
                • Opcode Fuzzy Hash: 3dfba36c4cac38effab1c82697d27e900a6eaba9596eba26b1de894932358f98
                • Instruction Fuzzy Hash: C151C171200741DFEB21DF5AC894B6BB7E9FB64719F50092FE102AB661CBB4E845CB50
                Function 014DCDF0 Relevance: .2, Instructions: 165COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                • Instruction ID: 294268723614f1de15f95336de61599e4295bffcb3232a24c47c370be91e1030
                • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                • Instruction Fuzzy Hash: D8518075E0060ADFEF16CF9CC9C16EEBBB1FB88214F18816ADD15AB214D7349A41CB94
                Function 01578DAE Relevance: .2, Instructions: 162COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: db99b6f37b4cfaf1a2d792d09f419ceaaa5df6c7b405a46c92d8551afdeea394
                • Instruction ID: 1776b78ccd8d2fc3949aff6dde96ce6c8727c3c66833800dfe7c4cec99c7c7c7
                • Opcode Fuzzy Hash: db99b6f37b4cfaf1a2d792d09f419ceaaa5df6c7b405a46c92d8551afdeea394
                • Instruction Fuzzy Hash: A651F1726047029FD711CF28D845BAABBE5FF84350F04892CFE959B290D734E908CB95
                Function 014EE443 Relevance: .2, Instructions: 158COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b1d6c48604ae19804c2dfc967fda7724702173dae95ba62782abe70b1ec75da
                • Instruction ID: 420b28202bd8bcd9f9f08f4a1c63670f769bf84cb70431fca85722179ca65a80
                • Opcode Fuzzy Hash: 3b1d6c48604ae19804c2dfc967fda7724702173dae95ba62782abe70b1ec75da
                • Instruction Fuzzy Hash: 2A517E72200A15DFCB22EFAAC984EAAB3F9FF25744F51046EE65197270D734E941CB50
                Function 014D45B1 Relevance: .2, Instructions: 156COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                • Instruction ID: 58eab6dd20cd9fecc70c37c1fa6b09511a92a942b84815f2f79914523fd97bf4
                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                • Instruction Fuzzy Hash: 1A51EF75E0021AABDF12CF98C460BFEBBB5AF54310F09406AEA05AB360D734DD44CBA0
                Function 0153E9E0 Relevance: .2, Instructions: 154COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                • Instruction ID: 84b59caf878e72458e835e0250bc67135ed374ec1c47279324a3632ef2f5f913
                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                • Instruction Fuzzy Hash: 9351B931D0020AEFDF169F94C896FAEBBF5FB90314F154659D6116B290D7709E418BA0
                Function 01578B28 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8098024e3f0d7bb48b5287e1935c3c22eec316f95ef2a1a2eb6c0c7dbbc8f12
                • Instruction ID: 764c00e6720f204bd8dd565b8cb2d5505fd2390541b74f14c3fce759befae6f4
                • Opcode Fuzzy Hash: f8098024e3f0d7bb48b5287e1935c3c22eec316f95ef2a1a2eb6c0c7dbbc8f12
                • Instruction Fuzzy Hash: B041DB717016129BD725DB2DE89AF7FBB9AFFD0620F088519E9598F280D730D801C791
                Function 0153CBF0 Relevance: .1, Instructions: 148COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1f0a58eb807297c655ebc58533a219c7a53fd742b1427339274873b13fb02e3d
                • Instruction ID: 5e3813d31fb3726cab0727e69ad9d050adaa67f9a606f4ea7fb120aa928ed561
                • Opcode Fuzzy Hash: 1f0a58eb807297c655ebc58533a219c7a53fd742b1427339274873b13fb02e3d
                • Instruction Fuzzy Hash: 7A518E7590021ADFCB20DFA9C98499EBBB9FB98314B55491AE516BB300D734AD01CB90
                Function 014EA430 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4411696afeb95ce41af529f21f73c10325823a30d4da526a4077ccca0428c985
                • Instruction ID: fa3e16441107cdbe3f0459806f556f5a5cf9f52a888c321350af272a59e88b0b
                • Opcode Fuzzy Hash: 4411696afeb95ce41af529f21f73c10325823a30d4da526a4077ccca0428c985
                • Instruction Fuzzy Hash: 98412B726802229BDB35EF699884F6E37E4FFA5709F42002EFE129F261D77198049791
                Function 0157A9D3 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                • Instruction ID: 42dd89a2f412ab4c8c8be773bcb08255b2e0e6a5823ad9368aaec86c0885ff64
                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                • Instruction Fuzzy Hash: F041F9726007169FDB25DF28D981A6FB7E9FF90210B09462EE9568F640EB70ED14C7D0
                Function 014E01F8 Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e8fe7a896e98fad32e1d27832541b67f6c0cffaa56dbac167121f190c901e54
                • Instruction ID: a366b117288730945c38f04393a2189fe4d3421a757511f273caabaa6197d243
                • Opcode Fuzzy Hash: 5e8fe7a896e98fad32e1d27832541b67f6c0cffaa56dbac167121f190c901e54
                • Instruction Fuzzy Hash: 1541AC36A012159BDB11DF98C444AEEB7F4BF58611F14812BF825AB360D7B49C42CBA4
                Function 014DEBFC Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47838f556248d009c2b0978d954c1e7d25bf3ef14d142e4bb78444a37f13386b
                • Instruction ID: cc6f18bfddb6cf349fc6ef51a6ab4d8d8d734b3024baef24772ef8c0215fefe9
                • Opcode Fuzzy Hash: 47838f556248d009c2b0978d954c1e7d25bf3ef14d142e4bb78444a37f13386b
                • Instruction Fuzzy Hash: F041E4712003029FEB21DF29C894A2BB7E5FF98614F45482FE557DB325DB71E8498B50
                Function 014F2750 Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                • Instruction ID: fb63e463adf30970e5ae953e7002f958b1a6a9df7238b4dc64974d23b8e6d93d
                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                • Instruction Fuzzy Hash: 84516C76A00625CFCB15CF58C480AADF7B2FF85710F2481A9D915AB795D770EE42CB90
                Function 014B6154 Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 575c645b5bf9077f0663018236f19afeb329b2874d2c121d50b1a6018be9275e
                • Instruction ID: 9a52bb93c7c1d7a8a931b4da5453ed6c82db547a501a5b9fb999efade10dbcb4
                • Opcode Fuzzy Hash: 575c645b5bf9077f0663018236f19afeb329b2874d2c121d50b1a6018be9275e
                • Instruction Fuzzy Hash: C6510670940217DBEB2A9B28CC40BEDBBB1FF21314F1582AAD5259B2E5D7749981CF50
                Function 014B0BCD Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 197783bf2be15d7a3d6aa48847f7383877db1fa6b7a4e9e0b247210c0c79535e
                • Instruction ID: d83d085b63af053fe4ef72de6650f063db1b4e833fbf122d0e769eec37abc7ed
                • Opcode Fuzzy Hash: 197783bf2be15d7a3d6aa48847f7383877db1fa6b7a4e9e0b247210c0c79535e
                • Instruction Fuzzy Hash: 9041C476A00228DBDB21DF69C881BEE77B4FF54740F0504AAE908AB251D7749E81CF91
                Function 014B0D59 Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a708474076e21e0d2ea466753b8b3377a1cfc166c946f55ef585db12bc7f1338
                • Instruction ID: d6d3824bfec974d62a476d7e1dd0897545f9400c45966a58714315c752871ba7
                • Opcode Fuzzy Hash: a708474076e21e0d2ea466753b8b3377a1cfc166c946f55ef585db12bc7f1338
                • Instruction Fuzzy Hash: B041B1716003149FEB329F29CC80BAB77B9AB64A20F0404AFF9459B2A1D770ED40CB61
                Function 0157866E Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                • Instruction ID: dec2726912a24e31e2d62df118fc6b858314ebd5b1a466267891ffa05a341a01
                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                • Instruction Fuzzy Hash: B341A675B00106ABDB15DF99DC9AABFBBBABF98600F244069E905EB341D670DD01C7A0
                Function 014B0887 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94a79caa1505723f988b1de932195bba06284d1b069bcd920656012608591244
                • Instruction ID: 1a7a47ae35e795cae5f0f790434729828ff2a88af28662a560e27127e5efeda2
                • Opcode Fuzzy Hash: 94a79caa1505723f988b1de932195bba06284d1b069bcd920656012608591244
                • Instruction Fuzzy Hash: 4341E2706007029FE325CF29C580A67B7F5FF58315B144A6FE55787A60E770E846CBA0
                Function 014DA470 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39b51515a2f89d82a165a1667e9f60013c190c7e54e76b83370996f3e2e08251
                • Instruction ID: 4f9761fdef475f628bee202c345a1027d5f6167523bb2cdcee5ff9ea70806965
                • Opcode Fuzzy Hash: 39b51515a2f89d82a165a1667e9f60013c190c7e54e76b83370996f3e2e08251
                • Instruction Fuzzy Hash: 0341F332980205CFDF22DF68C4A47EE7BB4FB54310FA9016AD521AB3A5DB74D905CB64
                Function 014B8BF0 Relevance: .1, Instructions: 124COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ede6530af7a30ceee49f400e42f9a89ab1b13c3320dec0d2a942d03e0816ad8f
                • Instruction ID: c8894c0cc2324323e133c68e6a18e73e49de61aa8b7d87233602c008259f3aeb
                • Opcode Fuzzy Hash: ede6530af7a30ceee49f400e42f9a89ab1b13c3320dec0d2a942d03e0816ad8f
                • Instruction Fuzzy Hash: 96412671900203CBD7259F89C880A9EBBBDFB94710F69802FD5219F365D374D802DBA0
                Function 014A8918 Relevance: .1, Instructions: 123COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 852607fbd45ab082d79a3b90bbafac534dbf176da75e7864998eed113dd304b6
                • Instruction ID: 1563115baf6075314d793e181214efa8859266b146d8974e13fac53c07ac018e
                • Opcode Fuzzy Hash: 852607fbd45ab082d79a3b90bbafac534dbf176da75e7864998eed113dd304b6
                • Instruction Fuzzy Hash: AC414D755083069ED712DF658880A6BF6E9FF94B54F81092FF984DB260E730DE058B93
                Function 014AA020 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                • Instruction ID: f6ba070304c21f8246e5a20796d76cd38e1ecfbf0ae882d6fc5173ea4f873110
                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                • Instruction Fuzzy Hash: 85413C75A04211DBDB12DE9984C0BBEBB71FB70754FA7806FE9558F290D6329D40CB90
                Function 014B09AD Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 968686f8fa13ab371cc3efe7481d8f9c4dc706387fc77cfad1cc7e0a48b1c255
                • Instruction ID: dcb146371944a3248aaa56a80c3f80fd07aaec60d6fb9d8fd7cfdec2437a9932
                • Opcode Fuzzy Hash: 968686f8fa13ab371cc3efe7481d8f9c4dc706387fc77cfad1cc7e0a48b1c255
                • Instruction Fuzzy Hash: D7414A71640601DFD721CF59C880B67BBF4FB68715F248A6EE4498B361E771E9428BA0
                Function 014E0710 Relevance: .1, Instructions: 121COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                • Instruction ID: bbbfb0c8504e505f416fe5459eaf85b227ccad997d719644269bdd719926071d
                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                • Instruction Fuzzy Hash: 11413975A00605EFDB24CF99C994AAABBF4FF18701B10496EE566D7260D370EA44CF50
                Function 014B262C Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b7562e07bf0321097cf53db908387108db105b61f37108bd47d96e95229efb89
                • Instruction ID: 514bbc3bca5d5e32dead53de0a9df267f71da994df0d03d250861b813d07e1f7
                • Opcode Fuzzy Hash: b7562e07bf0321097cf53db908387108db105b61f37108bd47d96e95229efb89
                • Instruction Fuzzy Hash: 5841AD71901705CFC722EF69C980A9AB7F5FF64310F1585AFC41A9B2B1DBB0A941CB61
                Function 014EC8F9 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a27da9df19fac2e3ba102ab3c20c93a1e54ebbbd1755c3c76ad16b8b817ab0d
                • Instruction ID: 86850f4f2da0876ab766f76735dbf546c65b5189a5caa1f47818cd3a8b8d9fb2
                • Opcode Fuzzy Hash: 2a27da9df19fac2e3ba102ab3c20c93a1e54ebbbd1755c3c76ad16b8b817ab0d
                • Instruction Fuzzy Hash: 84317AB2A01355DFDB12DFA8D040799BBF0FB49715F2081AED119EB2A1D3369902CF90
                Function 015307C3 Relevance: .1, Instructions: 114COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 882b3e2bb5f1aaeaa8fb5227540d35d010ac110944f7f9b270bc52497b193fd0
                • Instruction ID: df7081f1b51a5160f8b8823b2d27b4d04b9cf392ff92d3aa821613777a3a13b3
                • Opcode Fuzzy Hash: 882b3e2bb5f1aaeaa8fb5227540d35d010ac110944f7f9b270bc52497b193fd0
                • Instruction Fuzzy Hash: 19418CB25043419FD720DF29C844B9BBBE8FF98664F404A2EF5A8DB291D7709904CB92
                Function 015305A7 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81775bcc6230d96f680ad0c0e07a4352cc5bdd4c76c13dc190940a699e814465
                • Instruction ID: eea155453c0594f62a31ce23daffacc86061a13a13e31ea98d4604d57b87ad1a
                • Opcode Fuzzy Hash: 81775bcc6230d96f680ad0c0e07a4352cc5bdd4c76c13dc190940a699e814465
                • Instruction Fuzzy Hash: FA41BF726047429FD321DF69C840A6EB7E9BFD8700F144A2EF9949B690E730E905C7A6
                Function 014B4859 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7bb2c298263b069734bf4f38d4311bff6a25e5781d76ac4192865d561729995b
                • Instruction ID: 412e586c862ffb9b7399bcdf5208924652e0b9e8829c6c376b413afeda2e1ee5
                • Opcode Fuzzy Hash: 7bb2c298263b069734bf4f38d4311bff6a25e5781d76ac4192865d561729995b
                • Instruction Fuzzy Hash: D941B1302003019BD725DF29D884B6BBBE5AF90750F18442EE6568B3B2DB70D855CB61
                Function 0041AA8F Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551233872.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_400000_#U0110#U1eb7t h#U00e0ng.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3111a3d1f94926a063134be75d68ee6ecb0113c2681ba185f40ba243948901a
                • Instruction ID: cbc3848a2f032deba2f8a5d37d2725668610867b6b4bc20eef8b980bd64e3eeb
                • Opcode Fuzzy Hash: c3111a3d1f94926a063134be75d68ee6ecb0113c2681ba185f40ba243948901a
                • Instruction Fuzzy Hash: F831BD72A08265DBC313DF79DE859CABBB0FE1135030882AED8148B642D725D04BCBE5
                Function 014C02E1 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                • Instruction ID: 507d2dfbdf8dcf0e3e5e3fce6fbe9bb670eb388c9f922aeabcb58effc63ce9ca
                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                • Instruction Fuzzy Hash: 54310439A04245EBDB528B69CC84BDBBBE8AF54750F0441ABF415DB362C7749844CBA0
                Function 014B4260 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 60c908a732cc9169bb3e6601021a61a96f11b122e1da52fb10450594480567a1
                • Instruction ID: cd32e53bc1695d58d8a7d5e41fb9a233e158dcfa04ac927558645c0de84c2b8b
                • Opcode Fuzzy Hash: 60c908a732cc9169bb3e6601021a61a96f11b122e1da52fb10450594480567a1
                • Instruction Fuzzy Hash: 1F41D171200705DFD722DF28C880FDA7BE4BF55710F18842EE6AA8B2A1C770E845CB60
                Function 01550DF0 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                • Instruction ID: ad37f466c7bb3d7203a7b22b0e2ccba2ec28a59f3b6bdff20c8c2e4278541177
                • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                • Instruction Fuzzy Hash: C631F032105306AFD766DB24C811E6FBBE8FB90760F14492EFD409B290E670EC05DBA2
                Function 0152EB1D Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3d5b8555cecad70755434b3b47d2bf333a5ad2142742c7f50c9f9f79181b0b6
                • Instruction ID: 92a1fe4866dac4facea1c8a635d9c3df0ee44851ddc5d835cbe8eb9df2e8835a
                • Opcode Fuzzy Hash: a3d5b8555cecad70755434b3b47d2bf333a5ad2142742c7f50c9f9f79181b0b6
                • Instruction Fuzzy Hash: 0D31D4336016A29BF3229B9DC949B697BD8FB56B44F1D00A4EA459F6E1DB38D841C220
                Function 015761C3 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d420823ada81aa5ff699fd86e66ef4d94daa2b18c776a827efd6eea7d17b8848
                • Instruction ID: b444856efcb3afc6b8849738e260df317897d9e8642fb612780ff0490b3e5836
                • Opcode Fuzzy Hash: d420823ada81aa5ff699fd86e66ef4d94daa2b18c776a827efd6eea7d17b8848
                • Instruction Fuzzy Hash: 6031EF76A0061AABEB15DF98CC41BAEB7B9FB48B40F454169E900EF254D770ED00CBA4
                Function 014DEB20 Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd85e5ce83020affcfef7b42921ffffce984d8aae5ac4891ad873501d353572d
                • Instruction ID: 3bd9522021c5c743b7e936f0340e79e1240932fc6bd243a58607b7fad666238c
                • Opcode Fuzzy Hash: dd85e5ce83020affcfef7b42921ffffce984d8aae5ac4891ad873501d353572d
                • Instruction Fuzzy Hash: 3931B972E00215AFDF21DFA9CC40AAFB7F8EF54750F01442BE515EB260D6709E019BA0
                Function 015760B8 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 916607cd3a4a56bae38221e2761aed78aa509ab269e3fa045be8378f24c4d85d
                • Instruction ID: d81d264e7620a2bcacc94982002c0355dddd0fb2f4b8575fb3d4da1ce5fbb322
                • Opcode Fuzzy Hash: 916607cd3a4a56bae38221e2761aed78aa509ab269e3fa045be8378f24c4d85d
                • Instruction Fuzzy Hash: AD31E235B40A02EFEB129FAAE845A6EBBB9BB54754F00406EE505DF352DA70DC008B90
                Function 014B07AF Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 95559be6f0340a5be8263d094d064faa060e8b8badede29988900e382be853aa
                • Instruction ID: 77359e30ae485adcf7962e23be4f215460a623fabf92c0f04d3b3782521b3818
                • Opcode Fuzzy Hash: 95559be6f0340a5be8263d094d064faa060e8b8badede29988900e382be853aa
                • Instruction Fuzzy Hash: E131C272A04612DBC712DE6988C0AABBBB5AFA4651F01452EFD55AB330DB30DD0287F1
                Function 014B8550 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eca696fb1d96b4ce4b5218e269fdd02eea16379c6ea8ff4845a11a99696e4ddd
                • Instruction ID: 48bf1cd5813f7cf08be5046dc89cb704ff0db9e8ee0c03525304b8802b78d68d
                • Opcode Fuzzy Hash: eca696fb1d96b4ce4b5218e269fdd02eea16379c6ea8ff4845a11a99696e4ddd
                • Instruction Fuzzy Hash: 513181716053028FE721CF19C840B5BBBE5FB98700F154A6EF9849B365D770E944CBA1
                Function 014EA6C7 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                • Instruction ID: 98ce1d0e44b87bed9815603be767ccee0e5862a7e30c08199dbdb7dadfde9c23
                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                • Instruction Fuzzy Hash: 3B312DB2B00711AFD761CF69CD44B57BBF8BF19A50F14092EA59AC7761E670E900CB60
                Function 0155EBD0 Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7ac7329e15c1cab7289ed2298a35c850160b311f2770dbbd24b14ed0a7fd325
                • Instruction ID: e3cc07f001089ab2bfe4b748012c557ff4ebbdae8209206332635167424bd288
                • Opcode Fuzzy Hash: e7ac7329e15c1cab7289ed2298a35c850160b311f2770dbbd24b14ed0a7fd325
                • Instruction Fuzzy Hash: A931A971545311CFC711DF19C55185AFBF1FF99618F4449AEE888AF211D730DA44CB92
                Function 014D438F Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27a73aed8291d896c095418ed25caa6d11c6b193c9f06451c24f4743a742b12d
                • Instruction ID: f5f261eabcaf568b6d57ff2f5bec2513f602fcafd52ec8e588cb50361f9ae003
                • Opcode Fuzzy Hash: 27a73aed8291d896c095418ed25caa6d11c6b193c9f06451c24f4743a742b12d
                • Instruction Fuzzy Hash: 5431F631B002069FDF20DFA9C990A6E77F9BBA4704F08853BD115D7A64D730D985CB90
                Function 014ACB7E Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                • Instruction ID: 2b785ae602ea395b3722df95624c556e73bf6f33cd65e5337a103566b48c5895
                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                • Instruction Fuzzy Hash: A6210B36E4025A6ADB119BB98440BEFBBB5AF24740F0680369E15EB350E270C90087A0
                Function 014AC156 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c103d0739bc4a98e0e2009d9e3daef551ddac6ca4e9ba4f18ab86acfcd58d14d
                • Instruction ID: 36a6618a53757a087ead71d29634629b914b024c7cd3eae35afe7e9712c7a461
                • Opcode Fuzzy Hash: c103d0739bc4a98e0e2009d9e3daef551ddac6ca4e9ba4f18ab86acfcd58d14d
                • Instruction Fuzzy Hash: FA3149755003018BD722AFD8CC40BBD77B4BF60314F94816ED9469F3D2DA749986CB90
                Function 0156C3CD Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                • Instruction ID: 13bc934ce80caa820fa68e92e5ec960b2a908d0a29bb514d2d5fd56085407ad3
                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                • Instruction Fuzzy Hash: B021FD3660065366CB15EB958800EBABBB9FF90752F40841FFAD58F661E635D950C3E0
                Function 014AE420 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09ba03f34fbc535c18b054243fc4bffbe09bf398ce8cbc159764d172fef35481
                • Instruction ID: 2a3325bb3e7447f9a36f3759487cbfb0cf77b8c25341051285b11c79ec1bccf2
                • Opcode Fuzzy Hash: 09ba03f34fbc535c18b054243fc4bffbe09bf398ce8cbc159764d172fef35481
                • Instruction Fuzzy Hash: 9431F632A0051C9BDB31DF19CC41FEE77B9AB35740F4201A6E655BB2A0D6749E818FA0
                Function 014E4588 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                • Instruction ID: 2d7c26e9799eb7191f5149758321c1ec6ce705230e14f7feabf1661fca77048b
                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                • Instruction Fuzzy Hash: 1E21B431A00605EFCB10CF69C584A8EBBF5FF58311F14846AEE19DF250D678EA018F50
                Function 014E44B0 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9df6a3d01f0cc6383aabb0c3ac7cfc97d33d2ea3ca18d615638cce44e8a90c84
                • Instruction ID: eb91a967f66a786c9a2da6cc5bc17d6a3c836b1943ed7d7f34ffebe23f1b446b
                • Opcode Fuzzy Hash: 9df6a3d01f0cc6383aabb0c3ac7cfc97d33d2ea3ca18d615638cce44e8a90c84
                • Instruction Fuzzy Hash: 9721E132A047459BCB22CF19C884B6B77E4FF8CB61F09452EFE549B651C734E9018BA2
                Function 014AE388 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                • Instruction ID: a3ba2d5a48ec5eb84b8adf707fb9ef468b7329489ac20e1a673be970ee074289
                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                • Instruction Fuzzy Hash: B531AD31600605EFE721CFA9C884F6AB7F9FF95354F1145AAE5129B2A1E770EE02CB50
                Function 0152E609 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15b23b4b4ee45a11af6b9b3cda6126618814c13af38e95d6e89c800186d8962d
                • Instruction ID: 1ee463600f0914b344b09664c9a9884655282ab24219a48744b6120be3f10f71
                • Opcode Fuzzy Hash: 15b23b4b4ee45a11af6b9b3cda6126618814c13af38e95d6e89c800186d8962d
                • Instruction Fuzzy Hash: 9B317C76A00216DFCB24CF58D885DAEBBB6FF85304B19445AE8099F391E771FA41CB90
                Function 014B8D59 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                • Instruction ID: 0913ea627c627205191e9586d9cb570b3ada12aee2a7bc9a4515be8ecb023000
                • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                • Instruction Fuzzy Hash: EA2136356406829BF727DB2DD844BB977B8BF50750F2944AADD428B6E2E3B49C02C260
                Function 015306F1 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b21be251a846bc4253152ba9abfff22e647c121229d9e8fc0b8da554f75fffb3
                • Instruction ID: 06942faf249d0da5f8104fdd9950dc948b55bb8657aa2cf93eaae229ee6b75f3
                • Opcode Fuzzy Hash: b21be251a846bc4253152ba9abfff22e647c121229d9e8fc0b8da554f75fffb3
                • Instruction Fuzzy Hash: 6A21917590022A9BCF21DF59C881ABEB7F4FF58740B55006AF541EB250D738AD42CBE1
                Function 0153019F Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e9514390e0a7036c02e63ea5536572ee98520ab7591460e870aa326de413d597
                • Instruction ID: 5c431ac09d8f3a9310010269995b2ccea44b39298ccea7b477e7b653fc2e1d87
                • Opcode Fuzzy Hash: e9514390e0a7036c02e63ea5536572ee98520ab7591460e870aa326de413d597
                • Instruction Fuzzy Hash: EA218971600645AFD715DF6DC840E6AB7A8FF98B40F14406EF904DB6A1E634ED41CBA8
                Function 01530283 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8cb7f4048bf491553b0bf77ada6e307e82b1a843be20d55a2a0c47430fd24833
                • Instruction ID: 5de42b826a565b37fa705fab19b79242761c4350500d852c24c49842448d9698
                • Opcode Fuzzy Hash: 8cb7f4048bf491553b0bf77ada6e307e82b1a843be20d55a2a0c47430fd24833
                • Instruction Fuzzy Hash: E421B0729043469BD711EF6AC844BAFBBDCBFE1650F08445ABD80CB2A1D734D905C7A2
                Function 014D2835 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b737da4cd0cefdf079022dff565140fbbead3b79d373f426e1e804a33d75ac11
                • Instruction ID: 993abae159a7aa01d6433b280bcee4b21c522115dbdfb435237056b20e23eedc
                • Opcode Fuzzy Hash: b737da4cd0cefdf079022dff565140fbbead3b79d373f426e1e804a33d75ac11
                • Instruction Fuzzy Hash: 4921DA31645AC29BF723976D8C55F693B94BB41B74F180365F9209F6F2DBB8C8028250
                Function 014EA30B Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 03280c57cb61e32f9cc86a18a9fbfecedc8bc4fbad5f4e1b7e8b58e5058a01dc
                • Instruction ID: a4b6751bf04146cad4e4c9fd10c4c3936691cd0e213af5fd42d0ef37748c5d90
                • Opcode Fuzzy Hash: 03280c57cb61e32f9cc86a18a9fbfecedc8bc4fbad5f4e1b7e8b58e5058a01dc
                • Instruction Fuzzy Hash: F621A93A240A119FC725DF2AC800B5AB7F5BF18B04F24846DE509CBB61E371E842CB94
                Function 01530946 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 01376fe8e838173437b0fb2e6341db207c636ee030188470724d41c1140e394a
                • Instruction ID: 237f1f46d3711a6faacb41d2de06e261c6a548fe0646bfa035fc6d5f8305c56a
                • Opcode Fuzzy Hash: 01376fe8e838173437b0fb2e6341db207c636ee030188470724d41c1140e394a
                • Instruction Fuzzy Hash: E721EBB1E40349ABCB14DFAAD8809AEFBF8FF98710F11012FE505AB250D7709945CB60
                Function 015480A8 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                • Instruction ID: e960c9db7ba7d4a1c32ac46a4a4f45df1a4ac95e911756b80f6408184489ce04
                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                • Instruction Fuzzy Hash: ED218C76A0020AEFDF129F98CC40BAEBBB9FF98714F20481AF905AB251D734D9509B50
                Function 014E0124 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                • Instruction ID: 812bfa399e8f6e3bb9255193348e04552372803d9cd3a6cef093021100d82a65
                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                • Instruction Fuzzy Hash: 6611E272600605AFD7269F45CC84F9ABBB8EB90755F10006EF6108F2A0D6B2ED44CB50
                Function 014B8770 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e46796c4fb98cfc06cbb755f739c5ddf596eddac5da39f191e56a702aca4654
                • Instruction ID: d22bbb0d255110ac6197a3da449b4709f878a8dcadba14899c54d0c241bacae9
                • Opcode Fuzzy Hash: 1e46796c4fb98cfc06cbb755f739c5ddf596eddac5da39f191e56a702aca4654
                • Instruction Fuzzy Hash: 2E11B2357016129BDB11CF5DC8C0A9BBBEDAF5A715B1840BEEE08DF315D6B2D90287A0
                Function 014EAAEE Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                • Instruction ID: dfd4dd226b3b1aa4ca5b7c4a68c8026375c52337191e2a866822b90352485388
                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                • Instruction Fuzzy Hash: A1218E72A00641DFDB318F4AC548A66FBE6FB94B51F24893EEA458B720C730EC01CB40
                Function 014B80E9 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 494c91e032f693be1b9d4f42f6a8a95da1fb668c24b9a7a9c32610994658150d
                • Instruction ID: 7bf0d8260f766cd43439918c1eae2b1dee3fd07f4f27a79b28b748804a11a212
                • Opcode Fuzzy Hash: 494c91e032f693be1b9d4f42f6a8a95da1fb668c24b9a7a9c32610994658150d
                • Instruction Fuzzy Hash: 14216F75A41206DFCB14CF58C581AAEBBB9FB88714F24416ED105AB365C771AD06CBE0
                Function 014E674D Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: faaf490eeed8dd7c4abd23b7aea210e0ca80303deae27bc7850ac6ac4eb494c0
                • Instruction ID: 99e6588ea48bde0def0ce754d6258fb6f2be854c751f0364e8fda9aa749deb32
                • Opcode Fuzzy Hash: faaf490eeed8dd7c4abd23b7aea210e0ca80303deae27bc7850ac6ac4eb494c0
                • Instruction Fuzzy Hash: 8D219D75640A01EFD7208F69C880F66B7F8FF64651F45882EE5AACB260DB70B840CB60
                Function 01546870 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76a2fc22915cbd8741d7726fdb14c83dc9e6a17f95d37456466243296472579f
                • Instruction ID: 8c3c391d11dfaf6eac21363f331c8f561d975d6bd02e929e5e419ea324c4b496
                • Opcode Fuzzy Hash: 76a2fc22915cbd8741d7726fdb14c83dc9e6a17f95d37456466243296472579f
                • Instruction Fuzzy Hash: F3119136240615EFD722DB5AC940F9A77E8FB96B68F114029F205DF261DBB0E901C7A0
                Function 014DE8C0 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9be30806b0fe011657c0f5183fdb7c7757aa38e58693ea880065833ab2402f09
                • Instruction ID: feac345b8fd9b35d0737d1592276eacb15739628bf543a2d9f3b61b685688c98
                • Opcode Fuzzy Hash: 9be30806b0fe011657c0f5183fdb7c7757aa38e58693ea880065833ab2402f09
                • Instruction Fuzzy Hash: 67114C373041109BCF1ACB29CC54A6F7796EBD1374B28493ED522DF3A0D9308802C790
                Function 014E66B0 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a2b9d687694235760d17c422f7054ec4a430de7c993a1164e701c069fe0fb9fc
                • Instruction ID: 7c688ee96434603c9e6e25424416d4726fb2b1841cdc965f08f34f87425905a9
                • Opcode Fuzzy Hash: a2b9d687694235760d17c422f7054ec4a430de7c993a1164e701c069fe0fb9fc
                • Instruction Fuzzy Hash: 4F11CE76A81205DFCB25CF99C584E5BBBF8AFA4611F06807FD9059B320EA70DD00CB90
                Function 0157A8E4 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                • Instruction ID: 870cf6af4d2813d2f372779847b5e813975c6db46bd475ebee74644816f2654a
                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                • Instruction Fuzzy Hash: E511C436A0091AAFDB19CF58CC05B9DBBF5FFC4210F098269E8559B350E671AD51CB90
                Function 014B0AD0 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                • Instruction ID: b1a14267abcca1a09ada502dafae7395fe76ef8676690200d5ea20be69ae8e02
                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                • Instruction Fuzzy Hash: 7A21E3B5A00B059FD3A0CF29C480B56BBF4FB48B20F10492EE98AC7B50E371E814CB94
                Function 0153E7E1 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                • Instruction ID: 919af053fdc2bae4c7c4b353ee74aba2fdb86644b7eed32ef93f5cf327b00717
                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                • Instruction Fuzzy Hash: FC119E32A00605EFE7219F49C842B5AFBE5FBD6754F05842DEA099F1A0DB31EC41DB90
                Function 014D27ED Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1b0c6833c4ace5a10b17b5821d87789dcb7b24ee4862615b0bb90056332f4b57
                • Instruction ID: e9350882d7c1b3c59cedbc5918346e83c2af29756e2cb442c2d9a226dd0dcbe3
                • Opcode Fuzzy Hash: 1b0c6833c4ace5a10b17b5821d87789dcb7b24ee4862615b0bb90056332f4b57
                • Instruction Fuzzy Hash: F4010431206685AFF717A66ED895F6B6B9CFF90654F45006AF9008F2A1D974DC01C2B1
                Function 014B4690 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b89300e8b5640f2e2d759dffe6e0702c2045a844e8dcf690dd8f86fe557700b6
                • Instruction ID: 56599dd5df0bf37c4f74b4f15bbe78df14ee89c64f832fe692e27e5cfe0127a2
                • Opcode Fuzzy Hash: b89300e8b5640f2e2d759dffe6e0702c2045a844e8dcf690dd8f86fe557700b6
                • Instruction Fuzzy Hash: 1C110236200645AFDB21CFA9C884F977BA4EB96B64F18411BF9068B762C330E811CF70
                Function 014E6620 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3025aceae59d620bfebc4d4b716be450c2c1818068e9d0d0fa66e2903088470
                • Instruction ID: 9e19d16a9a2c206261fb2379cda1bae3886b0a5cd2f95b8dd6e10127155bbcb8
                • Opcode Fuzzy Hash: a3025aceae59d620bfebc4d4b716be450c2c1818068e9d0d0fa66e2903088470
                • Instruction Fuzzy Hash: B311C676910615ABDB21DF69C9C4B5EFBF8FF64741F51045ADA08A7320D730AD018F60
                Function 014DEA2E Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b4175cf6d7b1bf532b7b816d12845f14402eb2fe4e7c6881bd6125137cee12e
                • Instruction ID: 8d2c98d9659c271d33acbb1ac0f45b700d6f5c04715cd8089f7cc0a126c8fe21
                • Opcode Fuzzy Hash: 8b4175cf6d7b1bf532b7b816d12845f14402eb2fe4e7c6881bd6125137cee12e
                • Instruction Fuzzy Hash: D30100701101069FCB25CB19D494E16BBE9FB91314F61816FE1059F331D770EC46CB90
                Function 014DE53E Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                • Instruction ID: 2626b426c74c53f953475fcbbfc114854ebe696466d45e86c436607a8aff52d8
                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                • Instruction Fuzzy Hash: 6211C2722016C29BFB239B6C8964B693B94BB00B88F1904A7DA419F662F339C847C250
                Function 0153E75D Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                • Instruction ID: c992a37531869ac4e43bdbf7f562aa62aeba0fae5a328a1284557145cb5d026d
                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                • Instruction Fuzzy Hash: 5B019236600146AFE7229F59C842F5B7BE9FBD5B50F058429EA05AF260E771DD40CB90
                Function 014AA250 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                • Instruction ID: e23ee1a9611d0fceb18e0539f2c24cb9c386511688be966afecbbfc218c52a83
                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                • Instruction Fuzzy Hash: 4B0126365047229BCB318F19D840A377BA4EF65B60751852FFD958B3A1C331D421CB60
                Function 0152E1D0 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e425bcc5e73dfec9b6217363a40767316f2a6e40b230579513f73f4281946938
                • Instruction ID: ffc1fe962d468ba3ca9c2158344ea70fe10d40827566d18bc69f399eb173a11d
                • Opcode Fuzzy Hash: e425bcc5e73dfec9b6217363a40767316f2a6e40b230579513f73f4281946938
                • Instruction Fuzzy Hash: CD110432241240EFCB15EF0ACC91F4A7BB8FF65B44F10006AF9059F2A1C231ED01CAA0
                Function 014B6259 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6fdf6e32404514dd1bcb1ffe84a43aebb78848075c53b990fbf96312e3c161ac
                • Instruction ID: 61a1e175bef959cf983d783d4aa62f65f26c2bf83fd7b6fc300dbf3d27b241dc
                • Opcode Fuzzy Hash: 6fdf6e32404514dd1bcb1ffe84a43aebb78848075c53b990fbf96312e3c161ac
                • Instruction Fuzzy Hash: 11119E7054121CABEB25AF25CC41FE97274BB14710F5041DAA714AA1F0D6709E81CF94
                Function 014A6DF6 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed32732136294d1113b649780bdc19f99634e64f433608feef09d8c75e69f3d2
                • Instruction ID: 5d2ec31dedae2516b88db5eb28a6e514cd4f648bd2aa12e80e221b0afe4d2990
                • Opcode Fuzzy Hash: ed32732136294d1113b649780bdc19f99634e64f433608feef09d8c75e69f3d2
                • Instruction Fuzzy Hash: D101F5313106036FCF126EA998808ABB7A4FFD4318B40052CF9598F6A2EB61EC10CBD0
                Function 014E6DA0 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                • Instruction ID: 0ce673770e26a1f0d91cb4fc93572c342b69cd1a73577c5a9f9cc30adce81d29
                • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                • Instruction Fuzzy Hash: 7E01287160411567EF259B1EC808B9B7FE4DB60B60F06411BEA065B2E0D774D881C3E1
                Function 01536050 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68f773ca8382bcb45bc72b8426df6ff399d00b961d98d698ab01f185d5cc3701
                • Instruction ID: a7cbc382d4aef3bf92a072dfa35a08495a12b97e37136c8b47b97b154c28e974
                • Opcode Fuzzy Hash: 68f773ca8382bcb45bc72b8426df6ff399d00b961d98d698ab01f185d5cc3701
                • Instruction Fuzzy Hash: B0111772900019BBCB11DB95CC84DDFBBBCEF58254F05416AE916AB211EA34EA15CBE0
                Function 014B208A Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                • Instruction ID: 051dad6cae527dd77b7068c67086cc36a97c5099fd2184411389577db307fc2a
                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                • Instruction Fuzzy Hash: A601F5726001019BEF229E59D8C0F967766BFD4600F1540ABEE018F2A6DAB1AC82C7A0
                Function 01546500 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 346fe599c2d6088be272bb38646307cfb78b2511e530efb6d10d6692bbcc0bb7
                • Instruction ID: 9fa0c7bd7b9b447ab958a79e2134ffd37285afa087b0d9c5c27acb994346ecc2
                • Opcode Fuzzy Hash: 346fe599c2d6088be272bb38646307cfb78b2511e530efb6d10d6692bbcc0bb7
                • Instruction Fuzzy Hash: B611E1326401469FC301CF28C840BE6BBB9FB5A318F488159E8488F315D732EC80CBE0
                Function 0153C810 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9e8832685e2b6dfdbe72346f5fb8f88b69859aef8cf7c6f15abb9ca034f6e12
                • Instruction ID: 1f4db67a18b74be452055826ea12726c012c6b4cf6526ef0131c78e8dc281054
                • Opcode Fuzzy Hash: b9e8832685e2b6dfdbe72346f5fb8f88b69859aef8cf7c6f15abb9ca034f6e12
                • Instruction Fuzzy Hash: EE11ECB1A002499FCB04DF99D541AAEB7F4FF58350F14406BA905E7351D674EE01CBA4
                Function 014AC020 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                • Instruction ID: 8939f85876876f9519e8e55a0a2ea6f3954ec90b582d077388d7c8d87d4f38c6
                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                • Instruction Fuzzy Hash: CC012D321007059FEB33DAEAC440FA777F9FFD5610F45841EA9458B550DA71E402C750
                Function 014F20F0 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 894e5ab2b914855ceff295d7e5dc006157776785f9d5f9d7894c619f294895eb
                • Instruction ID: 1454bfc95359d78d0383576f6134ff5858b40967041b8beb4b0f1de74b0e3ad2
                • Opcode Fuzzy Hash: 894e5ab2b914855ceff295d7e5dc006157776785f9d5f9d7894c619f294895eb
                • Instruction Fuzzy Hash: 83115735A00209ABDB15EFA4C950EAF7BA5FB95650F10405EEA019B3A0DB35EE12CB90
                Function 014EE5CF Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d632363efd60cfe1af6bdb348d89d98e4d2228abd9e4aaad33f76beb38283511
                • Instruction ID: acb128826d9d9ae836aedf13fd24389a5415da5cb57eca70eb5f175827328063
                • Opcode Fuzzy Hash: d632363efd60cfe1af6bdb348d89d98e4d2228abd9e4aaad33f76beb38283511
                • Instruction Fuzzy Hash: 9001D476200512BBC351AB6ACD40E5BB7ECFB65A54B00053EB10597670DBB4EC01C6E4
                Function 015469C0 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a74cd8e0ecb8082a55fa24a28992bbc5de5de594fe7ac55692db61e546fe9ee8
                • Instruction ID: a6c5eb212537ce1442472acbbc2d1d52f99b1ecce3c92f8d7aa12b529a2958b1
                • Opcode Fuzzy Hash: a74cd8e0ecb8082a55fa24a28992bbc5de5de594fe7ac55692db61e546fe9ee8
                • Instruction Fuzzy Hash: 3A014C32214702DBC324DF6BD848AABBBE8FF55624F51452EE9588B290E7309941C7D1
                Function 0153C460 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b93bbe43e0cf077b0cddd840a765b298ff7575afa2bf380d79d09a407f0db4f2
                • Instruction ID: adc2d28e149da3fee3703a106585cabb9104af853223d7c75ec3858ce9f93ebf
                • Opcode Fuzzy Hash: b93bbe43e0cf077b0cddd840a765b298ff7575afa2bf380d79d09a407f0db4f2
                • Instruction Fuzzy Hash: C8116975A0020DEBDB15EFA9C844EAE7BB5FB98340F00405AFD01AB390DA35EE11CB90
                Function 0153C97C Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 985c37c4065799a4b3ac2e7b59f786f4f1189413a2d8c6cef2f048aeb9ea6a3b
                • Instruction ID: 64d05f957144f4f9b314aa50fa198626c2db371d0359c456faf38e3fee22f323
                • Opcode Fuzzy Hash: 985c37c4065799a4b3ac2e7b59f786f4f1189413a2d8c6cef2f048aeb9ea6a3b
                • Instruction Fuzzy Hash: CB117CB16043049FC700DF69C44195BBBE4FF99710F00451FBA98D7360D630E900CB92
                Function 0153CA11 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19161f668b9ca1313c6c4e514890dd828b7ff5111e5ea8ea0c424e1fdff09f9a
                • Instruction ID: f62b3ba45824066c696c32963aaf1d82a3b250e94d29ed537fe69de1ae8c4ea0
                • Opcode Fuzzy Hash: 19161f668b9ca1313c6c4e514890dd828b7ff5111e5ea8ea0c424e1fdff09f9a
                • Instruction Fuzzy Hash: F41179B16083089FC310DF6AC441A5BBBE4FF99750F00891FBA58DB3A0E670E901CB92
                Function 01584A80 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                • Instruction ID: 1bb7926dad664824bdac1f919dccfc082fc9f5112ab59737156b5f750b8c01ac
                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                • Instruction Fuzzy Hash: 3C01D8362006039FD721EB59D844FAAFBE7FBC5610F04481EEA429F650DAB0F841C754
                Function 014CE016 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                • Instruction ID: d225c447e4e732da941ab3e68d3a9d845ed884de785dfce4346c436c9f977d92
                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                • Instruction Fuzzy Hash: 3E017C762006909FE323865EC948F6B7BD8FB84B54F0904AAF909DB6E2D778DC41C661
                Function 014A826B Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d9dbb835d46d64ce3abc84bab61cfe0ad7a7043f0e44b3efde8f484967ea318
                • Instruction ID: 626b98902f0da175f484d07d844ad2a8ecbc81a4033c36fe2d6bb883fbc86f6d
                • Opcode Fuzzy Hash: 6d9dbb835d46d64ce3abc84bab61cfe0ad7a7043f0e44b3efde8f484967ea318
                • Instruction Fuzzy Hash: EF01AC32B00506DBD714EB69DC449BF77A9FFE0610B96406B99019B790DE70DD05C690
                Function 014B2582 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff62169a621079eacb702b5595ee3480c84d4b8cd76a706c512e40e7f99eaeaa
                • Instruction ID: 7b2c7f490caa7b1c384305bbe6612fe6c0406304ef81692a6aebdc12c43b04db
                • Opcode Fuzzy Hash: ff62169a621079eacb702b5595ee3480c84d4b8cd76a706c512e40e7f99eaeaa
                • Instruction Fuzzy Hash: 5BF0F933741610BBC7319F578D80F4B7AADEB94F90F00402EE60597650C670ED01DAB0
                Function 014DC073 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction ID: ec5b52c428682e86079021c2ecb59604e2b57a420f71c6f1a7e8292fa95b7aef
                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction Fuzzy Hash: 70F0AFF2600611ABD325CF8ED940E57FBEADBD1A90F04812DA605CB320EA31ED04CB90
                Function 014AC310 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                • Instruction ID: 84b34972989f37255d172d723e254d14be0cbc27d5f44bdf11df8d178c5bddbe
                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                • Instruction Fuzzy Hash: 70F021332046339FD772579E48C0B6BA5959FF5A64F9B003BF2059B360C9708D0257D0
                Function 014ECA6F Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                • Instruction ID: cb2db47ab609a3fd8787f12548371d36283cc848365f61df88529c0e2758b676
                • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                • Instruction Fuzzy Hash: 3901F9322006959BE322D79DD849F5ABBD8FF52754F08446AFA048F7F1D679C801C250
                Function 015861E5 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39f3f4eea05c7a57ac071cf8f67af252f61cbe038f991614956aed8914526b7b
                • Instruction ID: b74d51fbe971f0d21613c4611247a281be220684f83534a66bf1a426d6058f1f
                • Opcode Fuzzy Hash: 39f3f4eea05c7a57ac071cf8f67af252f61cbe038f991614956aed8914526b7b
                • Instruction Fuzzy Hash: DF012C71A002499BDB04DFA9D545AEEBBF8BF58710F15405EE501AB390D774AA01CB94
                Function 015363C0 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                • Instruction ID: c3d9f1085a85ee966cf12c343d9415793766b0bfe9edaf8cfc6bee7b8df3663e
                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                • Instruction Fuzzy Hash: EFF01D7220001EBFEF019F95DD80DEF7B7EFB99698B114129FA1196160D631DE21ABA0
                Function 0153A4B0 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad2ae82d72078e986725848af7831692b4671ed0f242a5a02c34a614fc45f5a0
                • Instruction ID: 0f64f4de55a31ae6608a12cb0c681d9a3ba87457377495654e087090fc52e80e
                • Opcode Fuzzy Hash: ad2ae82d72078e986725848af7831692b4671ed0f242a5a02c34a614fc45f5a0
                • Instruction Fuzzy Hash: 35019A36110219ABCF129F84DC40EDE3F66FB8C754F068105FE19AA260C332D970EB81
                Function 014AC0F0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ccef1700ef88d612eb8b594e004769cf0ff075c1c2f9bee86b65705cd5f7ff82
                • Instruction ID: d3ac0413f69147f30b4c359dbf61fdb6fac956f8194a39c833f718d43dcb65f9
                • Opcode Fuzzy Hash: ccef1700ef88d612eb8b594e004769cf0ff075c1c2f9bee86b65705cd5f7ff82
                • Instruction Fuzzy Hash: 61F02B713043415BF791A6199C91F633695E7E0651FA6802BE7058F7F1EA70EC0187A4
                Function 014E656A Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b9b81082da0ec4571e8d4c4de3f7bde3bb72b973ec8b77babf63835359a73d3
                • Instruction ID: 1d51b3aa208e21e6138ec778d8e6d5eb06f9f57ecac4364a5fc9c127a9afece0
                • Opcode Fuzzy Hash: 5b9b81082da0ec4571e8d4c4de3f7bde3bb72b973ec8b77babf63835359a73d3
                • Instruction Fuzzy Hash: 3E01A4713406819BF3229B2CDD4CF6A3BE4BB61B00F4A45A5FA118F6F6D778D8428710
                Function 0155437C Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                • Instruction ID: 25c62d06fbd35a42618cc7876f42ad9ac089c3c0cdda4396c7297ddd4da35069
                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                • Instruction Fuzzy Hash: F7F0E93534191347EBB5AB2E8430B2EA695BFA0D50B17053F9D01CF671EF20D8C08780
                Function 0153E872 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                • Instruction ID: f0c069cacb3d0a44f690639d6aabb158ad440797878cd8dd5087b48b8df839d6
                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                • Instruction Fuzzy Hash: A1F05E33B116129BE3219E4ECC81F5AF7E8FFD5A60F190479AA04AF260C760EC0287D0
                Function 0153C89D Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd73b8f2b5dc463b285113ac6d326d78cda76836ee9fa9f15c81e8018bb89b98
                • Instruction ID: 5c6a35c4ac667797120e1f0dcf48d7292e4f00547e472c4795c8cfbb747bb9c4
                • Opcode Fuzzy Hash: bd73b8f2b5dc463b285113ac6d326d78cda76836ee9fa9f15c81e8018bb89b98
                • Instruction Fuzzy Hash: E9F0AF716053449FC310EF29C441A2BB7E4FFA8710F404A5FB998DB394EA34EA01C796
                Function 014E0854 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                • Instruction ID: 531e9e65bbf29ab392893509ec4175f3d60376377f6ca969f4277b35fb6aef59
                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                • Instruction Fuzzy Hash: 0EF0F072600201AEE314DB22CC04F46B6E9EFA8340F148079A584C72B0EAB0ED01C654
                Function 01538D20 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 228d8c744901fcaeb5eec259cdd72c4d50b801aa42149353f3cb94d1361f556e
                • Instruction ID: 4ddcbe95da26c205c59071d8f2ecaf70381b7ae5182a59b7e4383eb5b1d6721c
                • Opcode Fuzzy Hash: 228d8c744901fcaeb5eec259cdd72c4d50b801aa42149353f3cb94d1361f556e
                • Instruction Fuzzy Hash: 71F024320506446BD6266A1CAC88FDEBBA8FFE0310F8A091AF9592F12186306C80C7D0
                Function 0153C912 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06d6a82499916a00bf4eff9d47410c63ca022a730f62cfd5f4f5e6aee605edc5
                • Instruction ID: 7787f2b8f172e69bf0defefbfa153b3cf5fd2394a3fdb013432ed6f94eaf05e1
                • Opcode Fuzzy Hash: 06d6a82499916a00bf4eff9d47410c63ca022a730f62cfd5f4f5e6aee605edc5
                • Instruction Fuzzy Hash: DFF0C270A00249DFCB04EF69C511AAEB7F4FF68300F01805BB915EB395DA34EA01CB90
                Function 014B47FB Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 55fa585e24b655ad9ebc8045ba996a338b30f6b249ec626ea6ee5c543a72a960
                • Instruction ID: a9178100a59bbcec488ad3ab709d370f022e074ba8b966de3b7fe6a1a71cd925
                • Opcode Fuzzy Hash: 55fa585e24b655ad9ebc8045ba996a338b30f6b249ec626ea6ee5c543a72a960
                • Instruction Fuzzy Hash: B8F096399156D19ED722975CC484B9277E4DB01B20F0C596BE58B87673C734D840C6A1
                Function 01570115 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ef2f4680c1543f88b46d5cb4fc65ec93f35fee8db376f34f1265f21effca98b6
                • Instruction ID: 43dc0f42d2a4d4c318999d01d562bee0a998a32efa6496df3c2ba8008f6f3071
                • Opcode Fuzzy Hash: ef2f4680c1543f88b46d5cb4fc65ec93f35fee8db376f34f1265f21effca98b6
                • Instruction Fuzzy Hash: 02F0277A4596C20ECB326B3C7C622E97BA8B792110F4E2445E4B15F249CB748487D360
                Function 014EC5ED Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 254b099ff3fb90ca845cab743db1ce698020a91f99569b52e6338d8b98531777
                • Instruction ID: fae620401fc036c4b72b14fdf38a52d4d1565b6b360c8e53d21f1c6d26d29530
                • Opcode Fuzzy Hash: 254b099ff3fb90ca845cab743db1ce698020a91f99569b52e6338d8b98531777
                • Instruction Fuzzy Hash: 22F0E2715116519FE322973CC1CCB237BE4AB85BA2F089527D44E87672C374E882CE91
                Function 014F2619 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                • Instruction ID: 4f706c64647eea87f12b11df6253cde8b0f54c78bc794464f93836be49d871dc
                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                • Instruction Fuzzy Hash: 46E092723006012BE7119E5A8C80F477B6EDFA6B10F04007EB6045E361C9F2DD0986A4
                Function 01546030 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                • Instruction ID: 9f532e2ab1a0233ee8c048801ecf74569055263c5041560518538b7d21b9b182
                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                • Instruction Fuzzy Hash: 53F030722042049FE3218F0AD944F56B7F8FB16769F45C42AE6099F561D379EC40CFA4
                Function 014B0710 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                • Instruction ID: e97dd21e21f21b3ecac7d16fe17ee97736fbf50f13ef1971edc4bd988b5c0716
                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                • Instruction Fuzzy Hash: 7CF0E5392047419BEB16CF19C090AEABBF8FB51350F1404AAF8468B361D731E983CBA0
                Function 014E49D0 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                • Instruction ID: ec7f7436a05f1a5581ce8527550e476935d76eda9582e18c6d00ce66c2e5c059
                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                • Instruction Fuzzy Hash: 0DE0D832344145ABD3211A598808B6B77E6DBE07F2F19042FE200CB270DB70DC41C7D8
                Function 014B25E0 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad628e45fc258a1aed759b908ef867e96e58cfe725879c2ec4a5b5f6e601abfa
                • Instruction ID: eef76b57d673f71ff00efb3c55c8cf238fd578f4a9d8c2e7b2f0181a88a705e5
                • Opcode Fuzzy Hash: ad628e45fc258a1aed759b908ef867e96e58cfe725879c2ec4a5b5f6e601abfa
                • Instruction Fuzzy Hash: 8BE092321005549BC721BF2ADD41FCA7B9AEB70760F05452EB116571A0CA70B910C794
                Function 01534000 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                • Instruction ID: 3d3cf2faa22eb1939c7ed07b530af0633968fcdb1ec8cbe1f8c70438bb0cb0bd
                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                • Instruction Fuzzy Hash: 6FE052793003459FE715CF59C054B66BBB6FFD5A50F28C069A9488F205EB36E842CB51
                Function 014ECA38 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4294dfff94ff8a7c707e3fcafe484d2f6fe4e665a180d59b5593ff254751c023
                • Instruction ID: 3160b39ff60e4f6c6619c14884ef85b26f003a9dafa473a00c39bdd0cfa6ee06
                • Opcode Fuzzy Hash: 4294dfff94ff8a7c707e3fcafe484d2f6fe4e665a180d59b5593ff254751c023
                • Instruction Fuzzy Hash: A5D02B329C10306ACB75E2197C48FA73AD99B60661F024867F10897030D534CC8197C4
                Function 014A823B Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                • Instruction ID: 07d76dbbcecf9af2a48656554e2e2361acd1f1afcc6857c77a692e7a5bdfdc01
                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                • Instruction Fuzzy Hash: 22E0C233440A16EFDB322F16DC00F667AA1FF74B11F12486FE1811A1B487B1AC82CB44
                Function 014B2050 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ab6bb3d979bc5fbffca2716a00d71f8ec0c456fc7c30fd2fa5fb8ebb032b4a72
                • Instruction ID: f7304e52c198dfbc0a3d804f345db6c14cd16b1bf518545e113ee73694832114
                • Opcode Fuzzy Hash: ab6bb3d979bc5fbffca2716a00d71f8ec0c456fc7c30fd2fa5fb8ebb032b4a72
                • Instruction Fuzzy Hash: BFE08C321004506BC711FA6EDD40E8A739AEBB4660F05422AB1568B2A0CA70BC00C7A4
                Function 014E8A90 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                • Instruction ID: bb74199a4c3c89a0e6ab27f93a2ff433a3389e3167d2101c4f3a2d07ce139aeb
                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                • Instruction Fuzzy Hash: 10E08633111A1487C728DE18D515B7277E4EF85721F09463EA61347790C534E544C794
                Function 01506AA4 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                • Instruction ID: 285fba6d074c5c3393baaaafe057933471ecb3757d1d556a1e75eea2acc925eb
                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                • Instruction Fuzzy Hash: 12D05E36511A50EFC3329F1BEA00C57BBF9FBD4F20709063FA54583920C670A846CBA0
                Function 014EE59C Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                • Instruction ID: d9a62ad77b94725edbf4bfe6e70919494c9ee5acdc86bfb037f79ef1940dcd57
                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                • Instruction Fuzzy Hash: 6ED0A933204620ABD772AA1DFC00FC733E8BB98B20F06046EF008CB1A0C360AC81CA84
                Function 0152E908 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                • Instruction ID: 7dcd22e0075844abdee21cdbfd0ba622306e58c939f7338db4c6fad0ba4d8473
                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                • Instruction Fuzzy Hash: 86E0EC36A506849FDF56DF5AC640F9EBBB5FB95B40F150059E5086F661C734AD00CB40
                Function 014AA0E3 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                • Instruction ID: 07cea69311c4f675288d1399ed2ea72cd150e2b8652c3d25bef3ade18774e849
                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                • Instruction Fuzzy Hash: 95D02233216030A3DB285A566800FAB6905ABA0A90F2B002F340A93920C0248C43C2E0
                Function 014EA830 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                • Instruction ID: 2b30d0d6f562431d04081a93601f665967568dd7d1bf0dc6a7ec7838ea936bbd
                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                • Instruction Fuzzy Hash: F7D0123B1D054DBBCB119F66DC01F957BA9E764BA0F448025B504875A0C63AE950D584
                Function 014ECA24 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c4737bb669213544642d0449c0603aebfa0331663ad198f5b1cf09a8355a4b26
                • Instruction ID: 3fb9e119102d8e54bd229dde0548257cdf1feeda7bce1063cc82ca679a63766d
                • Opcode Fuzzy Hash: c4737bb669213544642d0449c0603aebfa0331663ad198f5b1cf09a8355a4b26
                • Instruction Fuzzy Hash: 1ED0A735541011CBDF16DF4DC654E7E36F0FB10641B40007DE70156570D334EC01C690
                Function 014C02A0 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                • Instruction ID: 132f0681d367ed39186a8d25eb6d1ac5a36a5be8158694d6aed69e7dadb0d42c
                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                • Instruction Fuzzy Hash: 3DD09239216A80CFD65B8B0CC5A4B1633A4BB44F44F8108A5E402CBB22E638D940CA00
                Function 014EC700 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                • Instruction ID: 107d34a8712ef7d06cc109673529fe5ea882d2740c080edcbe71c76707895d52
                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                • Instruction Fuzzy Hash: 3FC01237290648AFC712AE9ACD01F467BA9EBA8B40F004026F2048B670C631E820EA84
                Function 014D0310 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction ID: 626d07713cfeaee269dded7690a6dcd15e043aef335ca46367e280f2ab4243af
                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction Fuzzy Hash: 2FD01236100248EFCF01DF41C890D9A772AFBD8710F108019FD19076108A31ED62DA50
                Function 014B0750 Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                • Instruction ID: fe60abdd46e260a110d43e5c9a4b7b4e2b59edcf35f4c24369ffb2ccaf69ad40
                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                • Instruction Fuzzy Hash: 1BC04879701A428FDF16DF6AD294F9977E4FB54B40F254898E805CBB22E625EC02CA10
                Function 01584DAD Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                • Instruction ID: 8cbe340b9c765b8f96fcafd66b4131b6fc5f6e95b97470bca87dd03c5c83bc25
                • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                • Instruction Fuzzy Hash: F9B01232212545CFCB026721CB10F1832A9BF127C0F0900F4B50089830D6288A10E501
                Function 014F4340 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd84632e7a69bed46eebd612467a354302e0796bf059af927783eeb53e602648
                • Instruction ID: 5a72633ad7c9e3be4d09724c5b257a3283e8634c64c85065163972c7c56c2fab
                • Opcode Fuzzy Hash: fd84632e7a69bed46eebd612467a354302e0796bf059af927783eeb53e602648
                • Instruction Fuzzy Hash: C9900231A05C00529141719848849464045B7E0311B59C411E0424998CCA548A965361
                Function 014F4650 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1c0c761174905b315ccd4c091fc42fd9933285cef9451b3d1318c2d79c9ae10
                • Instruction ID: 5ce39958b90f9cec41714bf1e5a3668bd46edf3c1d56514b6630a8b2ac5053ba
                • Opcode Fuzzy Hash: e1c0c761174905b315ccd4c091fc42fd9933285cef9451b3d1318c2d79c9ae10
                • Instruction Fuzzy Hash: B4900261A01900824141719848048066045B7E1311399C515A05549A4CC65889959369
                Function 014F2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                • Instruction ID: 3d977b02c033fdd496f536e88c9592bc7cdb4f40cbb32fbd8bec6f5d353f3015
                • Opcode Fuzzy Hash: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                • Instruction Fuzzy Hash: 6990026160280043410671984414A16404AA7E0211B59C421E10149D4DC56589D16225
                Function 014F2BE0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 050120e8aa264e05e1837671ef2763d40cd4b6e468570d517886b8e3833bdbaf
                • Instruction ID: 4a9b024d9579f61ac279025dd77b72fb597ad2916f1ce5cbc3ddc436ceeb35f1
                • Opcode Fuzzy Hash: 050120e8aa264e05e1837671ef2763d40cd4b6e468570d517886b8e3833bdbaf
                • Instruction Fuzzy Hash: 5490023160584882D14171984404E460055A7D0315F59C411A0064AD8DD6658E95B761
                Function 014F2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                • Instruction ID: 770c60fb024a703665910efa5cb4667a73b9a3455789c4993a03e24047f2942d
                • Opcode Fuzzy Hash: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                • Instruction Fuzzy Hash: 9890023160180842D18171984404A4A0045A7D1311F99C415A0025A98DCA558B9977A1
                Function 014F2B80 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4e0bce032cfa49f8804ef0e2507e5820d9751f2e0f638c193b5c4c52d207bc17
                • Instruction ID: a45b8fe9fb27ef2e18d7858f43b7f35a115fdb14fb2d0753e4b80327d2d1ccfb
                • Opcode Fuzzy Hash: 4e0bce032cfa49f8804ef0e2507e5820d9751f2e0f638c193b5c4c52d207bc17
                • Instruction Fuzzy Hash: 5390023160180842D10571984804A860045A7D0311F59C411A6024A99ED6A589D17231
                Function 014F2BA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62a0e22784d6f33af97f096e4142f72360e7466c47c13c77f7006e5c36c14dd4
                • Instruction ID: 3f69722a6f6435c92c46f249e87e8efd62f73403341312b3a399803cc8fc8ebf
                • Opcode Fuzzy Hash: 62a0e22784d6f33af97f096e4142f72360e7466c47c13c77f7006e5c36c14dd4
                • Instruction Fuzzy Hash: 44900231A0580842D15171984414B460045A7D0311F59C411A0024A98DC7958B9577A1
                Function 014F2AD0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                • Instruction ID: b82cf40219af77037f62a11e412aa8e34192ee5ebfc75363f10ba8ada2df228a
                • Opcode Fuzzy Hash: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                • Instruction Fuzzy Hash: A5900225611800430106B59807049070086A7D5361359C421F1015994CD66189A15221
                Function 014F2AF0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 579a0d47d7b3b74873c25842ab4b3e8753cbf2ad09d82a45db18106fbc36211b
                • Instruction ID: e0da3d14421b808812d0f2081586d4011dd39c029085a0ee038fa4d8f8c3d428
                • Opcode Fuzzy Hash: 579a0d47d7b3b74873c25842ab4b3e8753cbf2ad09d82a45db18106fbc36211b
                • Instruction Fuzzy Hash: 0E900225621800420146B598060490B0485B7D6361399C415F14169D4CC66189A55321
                Function 014F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5c7c1bf886149e5f8bd07a49267a1eea9a9894b31f367be807e2758d8bca8cbc
                • Instruction ID: 5a6fe7f7d7d2218d9de5fe0758293e3fcfbb23a6eed50d0e73dfcf3978bf892d
                • Opcode Fuzzy Hash: 5c7c1bf886149e5f8bd07a49267a1eea9a9894b31f367be807e2758d8bca8cbc
                • Instruction Fuzzy Hash: 299002A1601940D24501B2988404F0A4545A7E0211B59C416E10549A4CC56589919235
                Function 014F2D00 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdbcce71489434a6491ddd3708e188f74c768fef43ddc08bbda97350bd05dde9
                • Instruction ID: 2983fdb47fd9feea7678ce0786779104cb87fe795b788c8c0478aec7be0559bb
                • Opcode Fuzzy Hash: fdbcce71489434a6491ddd3708e188f74c768fef43ddc08bbda97350bd05dde9
                • Instruction Fuzzy Hash: F990022160584482D10175985408E060045A7D0215F59D411A10649D9DC6758991A231
                Function 014F2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                • Instruction ID: 0848207a0cf572abfc14a650ba87e834b28dca6d785cf466bf5d55eda2a72050
                • Opcode Fuzzy Hash: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                • Instruction Fuzzy Hash: FF90022961380042D18171985408A0A0045A7D1212F99D815A001599CCC95589A95321
                Function 014F2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                • Instruction ID: 24dc2f96ec203673ee641e1f35c6eb0675f59c52e33e28cb5886b6d03ea3c671
                • Opcode Fuzzy Hash: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                • Instruction Fuzzy Hash: 8C90022170180043D14171985418A064045F7E1311F59D411E0414998CD95589965322
                Function 014F2DD0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                • Instruction ID: 10fbecab2ba737432e042b9a33bb5cb1c2757aeabe43d21294ea069c273aa422
                • Opcode Fuzzy Hash: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                • Instruction Fuzzy Hash: C5900221642841925546B19844049074046B7E0251799C412A1414D94CC5669996D721
                Function 014F2DB0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb16a86476deb38995ca0ba3abd00109ab41d8f590fe12ec5186e7c43c6b03f1
                • Instruction ID: 3263676cbb652afefe6c1d024d29a8f700b69f3678942a0c627c5845464ff987
                • Opcode Fuzzy Hash: eb16a86476deb38995ca0ba3abd00109ab41d8f590fe12ec5186e7c43c6b03f1
                • Instruction Fuzzy Hash: 1490023164180442D14271984404A060049B7D0251F99C412A0424998EC6958B96AB61
                Function 014F2C60 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdf8e9ec94687043cfe4053fae60a64e18d0ecff14e2d1421d8e2036f54cf28f
                • Instruction ID: 1cd6d0d0fb2ac24820ea6cd77663976be186b7b131fbc62fba79c2a6e3430509
                • Opcode Fuzzy Hash: cdf8e9ec94687043cfe4053fae60a64e18d0ecff14e2d1421d8e2036f54cf28f
                • Instruction Fuzzy Hash: BE90023160180882D10171984404F460045A7E0311F59C416A0124A98DC655C9917621
                Function 014F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec2f48b5bd3a429d5384465110f3b0eedd29438e965adf89d878edff1717ce4f
                • Instruction ID: db2a4868ae52197876320b0dfde5be7836d94d7f3fbfb3f156a073126dbb73f6
                • Opcode Fuzzy Hash: ec2f48b5bd3a429d5384465110f3b0eedd29438e965adf89d878edff1717ce4f
                • Instruction Fuzzy Hash: 01900221A0580442D14171985418B060055A7D0211F59D411A0024998DC6998B9567A1
                Function 014F2CF0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b7a94689c7fdc61c13bb3957750b209ad7278daf62c2b2e5c11f75c2a743a93d
                • Instruction ID: a19513ef98ba2aeff9519e0d6b81cd62cdd0ae0fb62b13148596fbd106a9a99d
                • Opcode Fuzzy Hash: b7a94689c7fdc61c13bb3957750b209ad7278daf62c2b2e5c11f75c2a743a93d
                • Instruction Fuzzy Hash: CE90023160180443D10171985508B070045A7D0211F59D811A042499CDD69689916221
                Function 014F2CA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                • Instruction ID: b2524638cc029f14d6b0a10df1ca070e8d678933a61409ecc7d7bdff68852a50
                • Opcode Fuzzy Hash: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                • Instruction Fuzzy Hash: 3290023160180442D10175D85408A460045A7E0311F59D411A5024999EC6A589D16231
                Function 014F2F60 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff2e2e13e011ae51d812558d27c4b32f473310843cdb17c8dac27189ee0fab26
                • Instruction ID: bc09ee9ec79343ae867c43b88348c4c75875a677b6a6e06942b7ce3e1fecf7bc
                • Opcode Fuzzy Hash: ff2e2e13e011ae51d812558d27c4b32f473310843cdb17c8dac27189ee0fab26
                • Instruction Fuzzy Hash: 3790026161180082D10571984404B060085A7E1211F59C412A2154998CC5698DA15225
                Function 014F2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                • Instruction ID: b4d451d1821c86ee627be70dd53068eb642dcab5f3021bbb552fab49826c4b4d
                • Opcode Fuzzy Hash: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                • Instruction Fuzzy Hash: E390026174180482D10171984414F060045E7E1311F59C415E1064998DC659CD926226
                Function 014F2FE0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                • Instruction ID: 7de400fc226f2ffbd76913ea0685519abfce274d9f9636fe12252db3cfc397bc
                • Opcode Fuzzy Hash: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                • Instruction Fuzzy Hash: 3D900221611C0082D20175A84C14F070045A7D0313F59C515A0154998CC95589A15621
                Function 014F2F90 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                • Instruction ID: 5748f2f2a4b028dba12adb792e3322a9dd7c907efda320d0c370c15da695f6e2
                • Opcode Fuzzy Hash: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                • Instruction Fuzzy Hash: F2900231601C0442D10171984814B0B0045A7D0312F59C411A1164999DC66589916671
                Function 014F2FA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e220690c38555ec95755d6a7417082c4030c15f412ebb94765bb096ae585a171
                • Instruction ID: 2f1f241384e9911471bfe7e347d9673f1544a4148979b7de212be637eb8f8978
                • Opcode Fuzzy Hash: e220690c38555ec95755d6a7417082c4030c15f412ebb94765bb096ae585a171
                • Instruction Fuzzy Hash: 2D900231601C0442D10171984808B470045A7D0312F59C411A5164999EC6A5C9D16631
                Function 014F2FB0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                • Instruction ID: 9cf682f779a343683605a4eb31cb516e7728a3e0cc0b622166e57350ce669332
                • Opcode Fuzzy Hash: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                • Instruction Fuzzy Hash: A1900221A0180082414171A88844D064045BBE1221759C521A0998994DC59989A55765
                Function 014F2E30 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e6bcb08eba592a800384ea9ea9318260b01d813eabc40b1bb4b4111a89685b2a
                • Instruction ID: 31cf1192c2297f16d140c9654cb8653a0cedb80ff5ddbe287452ee176b69720f
                • Opcode Fuzzy Hash: e6bcb08eba592a800384ea9ea9318260b01d813eabc40b1bb4b4111a89685b2a
                • Instruction Fuzzy Hash: CD90022170180442D10371984414A060049E7D1355F99C412E1424999DC6658A93A232
                Function 014F2EE0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68ff36f7c4cfb43cec092ff8c3554c0e0ac7689c10b7add11439acd89cd86c43
                • Instruction ID: fc9b1edb4dced70954e85db28c12b55880a397aaf4b08002f7d456b8937539f2
                • Opcode Fuzzy Hash: 68ff36f7c4cfb43cec092ff8c3554c0e0ac7689c10b7add11439acd89cd86c43
                • Instruction Fuzzy Hash: 45900261601C0443D14175984804A070045A7D0312F59C411A2064999ECA698D916235
                Function 014F2E80 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a38bba784c14c8720bcfd95417bcadfa48a58ef2d3e7bf81f085d3ab134ec5da
                • Instruction ID: 7429217302594c32898772c2269a0ace5a995b1cb43b9eb1d247334657784146
                • Opcode Fuzzy Hash: a38bba784c14c8720bcfd95417bcadfa48a58ef2d3e7bf81f085d3ab134ec5da
                • Instruction Fuzzy Hash: 64900221A0180542D10271984404A16004AA7D0251F99C422A1024999ECA658AD2A231
                Function 014F2EA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                • Instruction ID: 62bd9d969c855874343e63f5a01766b932a767e9e37a96afd1660431aa9ca531
                • Opcode Fuzzy Hash: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                • Instruction Fuzzy Hash: 2090027160180442D14171984404B460045A7D0311F59C411A5064998EC6998ED56765
                Function 014F3010 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 835633eb8e3c905e7cd6b103bff874252c1ec442b8d7994bd80cb6ba861e34d9
                • Instruction ID: b57f3e80525cfdb8a71f4ff340b8c4fe7a71e99daa9d0ad656378f1dd9dc9fbb
                • Opcode Fuzzy Hash: 835633eb8e3c905e7cd6b103bff874252c1ec442b8d7994bd80cb6ba861e34d9
                • Instruction Fuzzy Hash: E1900221601C4482D14172984804F0F4145A7E1212F99C419A4156998CC95589955721
                Function 014F3090 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4737b2897b9898c57e05fd76c7a8300e321e381ca90e1c94f45704a28693b8d6
                • Instruction ID: c53481cec8f3d83c4cc39c4fa858dfd2612853bf2ff2bd1f648bea9451773198
                • Opcode Fuzzy Hash: 4737b2897b9898c57e05fd76c7a8300e321e381ca90e1c94f45704a28693b8d6
                • Instruction Fuzzy Hash: 2C90022164180842D14171988414B070046E7D0611F59C411A0024998DC6568AA567B1
                Function 014F39B0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8f1be3a955ca1fd3173cf8ab1a812ce8835a41a27e57bae2745946f360caf0cc
                • Instruction ID: 3bb6ec5545276ae7bdab98b09c3dbf42d9e78258de08874dac8966c940bfc4d3
                • Opcode Fuzzy Hash: 8f1be3a955ca1fd3173cf8ab1a812ce8835a41a27e57bae2745946f360caf0cc
                • Instruction Fuzzy Hash: 9190022164585142D151719C4404A164045B7E0211F59C421A08149D8DC59589956321
                Function 014F3D70 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73e31e18142d9e8256e529cfce73989cd9624c10fb1c8549fd771cd9836d5981
                • Instruction ID: 91f19905c28d406522afb9f501e70c97b6b8810d4037aa574b7daaccbcd3db88
                • Opcode Fuzzy Hash: 73e31e18142d9e8256e529cfce73989cd9624c10fb1c8549fd771cd9836d5981
                • Instruction Fuzzy Hash: FF90023560180442D51171985804A460086A7D0311F59D811A042499CDC69489E1A221
                Function 014F3D10 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 187cc0db8c45f4859ec37d58be17dc050993906c4e2fb4fabb13c72a70c40817
                • Instruction ID: e5821aedf65fee8c9afb0befb037f506d7266fb707ec6695011f69e9bff85ed2
                • Opcode Fuzzy Hash: 187cc0db8c45f4859ec37d58be17dc050993906c4e2fb4fabb13c72a70c40817
                • Instruction Fuzzy Hash: 8190023160280182954172985804E4E4145A7E1312B99D815A0015998CC95489A15321
                Function 014F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                • Instruction ID: 34f0b348e126488d994b67bc5b3da795d643cc88cece7f49ebb3fccfbcc69ea9
                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                • Instruction Fuzzy Hash:
                Function 014F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                • API String ID: 48624451-2108815105
                • Opcode ID: 8cb58ae36c389fda112de1c0487296c242cb0f93eb284a1f645ef3aa1a92005d
                • Instruction ID: d3c2ba5a77a40be6948851ecfdb94f2dc33f835cc05b00b1a033a1f58e3157fa
                • Opcode Fuzzy Hash: 8cb58ae36c389fda112de1c0487296c242cb0f93eb284a1f645ef3aa1a92005d
                • Instruction Fuzzy Hash: 3E51D6B6B00156AFCB11DF9C8890D7FFBB8BB49240B54822EE565DB791D374DE408BA0
                Function 01562410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                • API String ID: 48624451-2108815105
                • Opcode ID: 0dd145f8515c7e12a991bf6fb77c7ab9ad949f69e057ae335856cc40b1f0be0d
                • Instruction ID: af9735f252f40c18883910cc00d831516e083ed05fb6a3eb18779a9a4b370e81
                • Opcode Fuzzy Hash: 0dd145f8515c7e12a991bf6fb77c7ab9ad949f69e057ae335856cc40b1f0be0d
                • Instruction Fuzzy Hash: C251F775A00646AECB31DE9DC89097EBBFCFB54201F44885AE4D6CF681E674DA40C7A0
                Function 014E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                Download Yara Rule
                Strings
                • Execute=1, xrefs: 01524713
                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01524742
                • ExecuteOptions, xrefs: 015246A0
                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01524787
                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01524725
                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015246FC
                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01524655
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                • API String ID: 0-484625025
                • Opcode ID: e031665d6c0a6f22fff11dd8fd5e5f73d9b7fc13e8fb9212d19e3f3aa80bb33c
                • Instruction ID: 3c81ae2e1eb1790112a6d0e8b4d6b63b9bcb5a7fa4e3175ed48ad1293abedc4f
                • Opcode Fuzzy Hash: e031665d6c0a6f22fff11dd8fd5e5f73d9b7fc13e8fb9212d19e3f3aa80bb33c
                • Instruction Fuzzy Hash: FD51613164021A6BEF109BA5DC49FAE3BE8FF54726F1400DFD605AB2E1D770AA458F90
                Function 014FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-$0$0
                • API String ID: 1302938615-699404926
                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                • Instruction ID: fefcd66e304a1b4c5ba07b7cfc612c00415cfdd2527ea9bcc3fc1974a3f87018
                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                • Instruction Fuzzy Hash: BE81AF70E052499EEF258E6CC8917FFBBB2EF86360F18411FDA55A73B1C63498418B52
                Function 014DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                Download Yara Rule
                Strings
                • RTL: Re-Waiting, xrefs: 0152031E
                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015202E7
                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015202BD
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                • API String ID: 0-2474120054
                • Opcode ID: 9069bdf1d4a676605b4a0ba061e5f91248b87466552895f3ac507965394e31ec
                • Instruction ID: a7b676b1b46112adb116dabd2d80170ab283bdd01802f43bc8f5517f507db6e2
                • Opcode Fuzzy Hash: 9069bdf1d4a676605b4a0ba061e5f91248b87466552895f3ac507965394e31ec
                • Instruction Fuzzy Hash: E4E1BE316047429FDB25CF28C894B6ABBE0BB85314F140A5EF5A6CB3E1D774D84ACB42
                Function 014EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                Download Yara Rule
                Strings
                • RTL: Resource at %p, xrefs: 01527B8E
                • RTL: Re-Waiting, xrefs: 01527BAC
                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01527B7F
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                • API String ID: 0-871070163
                • Opcode ID: dde6b0b0c892237afa50639c2540c13e244a1c372f50ea70ba8f2acff3c4c431
                • Instruction ID: ad8000aa0c52cba3a1ca790287dce079d8f03364276ebc0a3d23b1e523111318
                • Opcode Fuzzy Hash: dde6b0b0c892237afa50639c2540c13e244a1c372f50ea70ba8f2acff3c4c431
                • Instruction Fuzzy Hash: AF41E2317007039BD720DE29C850B2BB7E5FB99711F100A1EEA56DB3A0DB31E8058B91
                Function 014EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0152728C
                Strings
                • RTL: Resource at %p, xrefs: 015272A3
                • RTL: Re-Waiting, xrefs: 015272C1
                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01527294
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                • API String ID: 885266447-605551621
                • Opcode ID: 56732d6f3d2b0b36098a7f6b6c42733e9a8389f304dabb1a3e3dcaeebee3cc78
                • Instruction ID: 944607635700f4158d605b621c564fdf9f1f800a107b108f4c4b29b283a83ea7
                • Opcode Fuzzy Hash: 56732d6f3d2b0b36098a7f6b6c42733e9a8389f304dabb1a3e3dcaeebee3cc78
                • Instruction Fuzzy Hash: 2241E132600617ABD721DE29CC41F6AB7E5FBAA711F10062AF955DB290DB30F85287D1
                Function 01562300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$]:%u
                • API String ID: 48624451-3050659472
                • Opcode ID: 9bce1c3ea4d487d492107dea419da31317ac827ddc3a0647cd48cbcc34f90929
                • Instruction ID: b33178d252561b895bf1b146caac943997a88dceee2c1ea07ee4d9c4eb353f7f
                • Opcode Fuzzy Hash: 9bce1c3ea4d487d492107dea419da31317ac827ddc3a0647cd48cbcc34f90929
                • Instruction Fuzzy Hash: 57316172A002199FDB20DF2DCC40BEEB7FCFB54650F95455AE949E7240EB30AA448BA0
                Function 014F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-
                • API String ID: 1302938615-2137968064
                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                • Instruction ID: 5afee909056e5b504eead4e51bd933a585419e806968eb9dc7166c049ac7cd74
                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                • Instruction Fuzzy Hash: B3919371E002069AEB24DF6DC890ABFBBA5EF44322F54451FEB55A73E0D73899418721
                Function 014B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID:
                • String ID: $$@
                • API String ID: 0-1194432280
                • Opcode ID: 5b90d68b264caf28eebc06ef576c7549b6f99290ea4b168d182155c963b66732
                • Instruction ID: ce1693a603c99e9a5c578ed15ee3ebfb3e88d04b99bccb7918cd1e471104fe19
                • Opcode Fuzzy Hash: 5b90d68b264caf28eebc06ef576c7549b6f99290ea4b168d182155c963b66732
                • Instruction Fuzzy Hash: CF812B71D002699BEB35CB54CC44BEEB6B4AF08714F1445DAEA19BB290D7309E84DFA0
                Function 0153CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                Download Yara Rule
                APIs
                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0153CFBD
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1551765717.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1480000_#U0110#U1eb7t h#U00e0ng.jbxd
                Similarity
                • API ID: CallFilterFunc@8
                • String ID: @$@4Qw@4Qw
                • API String ID: 4062629308-2383119779
                • Opcode ID: d4d7d74e000a6f9c2c8e544c2438b97825349c7024e8dd2ed2bb3c00273c255a
                • Instruction ID: 884cbec1a0077db8492f39be17374ba35f8edb41322960be0dae38a9b52dcd45
                • Opcode Fuzzy Hash: d4d7d74e000a6f9c2c8e544c2438b97825349c7024e8dd2ed2bb3c00273c255a
                • Instruction Fuzzy Hash: 1F419075900215DFCB219FAAC840AADFBB8FFA4B50F40442EEA15DF264E774D805CB61