Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#86637.exe

Overview

General Information

Sample name:PO#86637.exe
Analysis ID:1522678
MD5:c38fe2b4f5b0ebd3333a88fd42752f63
SHA1:16db98340dac46d1ed93b119d165aaa5521d631c
SHA256:3850da992cb6ca0cd6bcaafd65baeee9f420c3f878cf0aa6fc47fc5472e395cc
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO#86637.exe (PID: 7936 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
    • powershell.exe (PID: 8108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3580 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 8156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5940 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO#86637.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
    • PO#86637.exe (PID: 332 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
    • PO#86637.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
  • Fyepece.exe (PID: 1160 cmdline: C:\Users\user\AppData\Roaming\Fyepece.exe MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
    • schtasks.exe (PID: 4472 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Fyepece.exe (PID: 6368 cmdline: "C:\Users\user\AppData\Roaming\Fyepece.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
    • Fyepece.exe (PID: 5992 cmdline: "C:\Users\user\AppData\Roaming\Fyepece.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
    • Fyepece.exe (PID: 6960 cmdline: "C:\Users\user\AppData\Roaming\Fyepece.exe" MD5: C38FE2B4F5B0EBD3333A88FD42752F63)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2be20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2eff3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17082:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: PO#86637.exe PID: 7936JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.PO#86637.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          11.2.PO#86637.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e1f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16282:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          11.2.PO#86637.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            11.2.PO#86637.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2eff3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17082:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#86637.exe", ParentImage: C:\Users\user\Desktop\PO#86637.exe, ParentProcessId: 7936, ParentProcessName: PO#86637.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", ProcessId: 8108, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#86637.exe", ParentImage: C:\Users\user\Desktop\PO#86637.exe, ParentProcessId: 7936, ParentProcessName: PO#86637.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", ProcessId: 8108, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Fyepece.exe, ParentImage: C:\Users\user\AppData\Roaming\Fyepece.exe, ParentProcessId: 1160, ParentProcessName: Fyepece.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp", ProcessId: 4472, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#86637.exe", ParentImage: C:\Users\user\Desktop\PO#86637.exe, ParentProcessId: 7936, ParentProcessName: PO#86637.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp", ProcessId: 5940, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#86637.exe", ParentImage: C:\Users\user\Desktop\PO#86637.exe, ParentProcessId: 7936, ParentProcessName: PO#86637.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe", ProcessId: 8108, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#86637.exe", ParentImage: C:\Users\user\Desktop\PO#86637.exe, ParentProcessId: 7936, ParentProcessName: PO#86637.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp", ProcessId: 5940, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeReversingLabs: Detection: 21%
            Multi AV Scanner detection for submitted file
            Source: PO#86637.exeVirustotal: Detection: 24%Perma Link
            Source: PO#86637.exeReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: PO#86637.exeJoe Sandbox ML: detected
            Source: PO#86637.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PO#86637.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: RWnC.pdb source: PO#86637.exe, Fyepece.exe.0.dr
            Source: Binary string: wntdll.pdbUGP source: PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO#86637.exe, PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RWnC.pdbSHA256U source: PO#86637.exe, Fyepece.exe.0.dr
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 4x nop then jmp 08310CB1h12_2_083101BC
            Source: PO#86637.exe, 00000000.00000002.1430741996.0000000003144000.00000004.00000800.00020000.00000000.sdmp, Fyepece.exe, 0000000C.00000002.1561312955.000000000339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PO#86637.exe
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0042C283 NtClose,11_2_0042C283
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962B60 NtClose,LdrInitializeThunk,11_2_01962B60
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_01962DF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_01962C70
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019635C0 NtCreateMutant,LdrInitializeThunk,11_2_019635C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01964340 NtSetContextThread,11_2_01964340
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01964650 NtSuspendThread,11_2_01964650
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962B80 NtQueryInformationFile,11_2_01962B80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962BA0 NtEnumerateValueKey,11_2_01962BA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962BF0 NtAllocateVirtualMemory,11_2_01962BF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962BE0 NtQueryValueKey,11_2_01962BE0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962AB0 NtWaitForSingleObject,11_2_01962AB0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962AD0 NtReadFile,11_2_01962AD0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962AF0 NtWriteFile,11_2_01962AF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962DB0 NtEnumerateKey,11_2_01962DB0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962DD0 NtDelayExecution,11_2_01962DD0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962D10 NtMapViewOfSection,11_2_01962D10
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962D00 NtSetInformationFile,11_2_01962D00
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962D30 NtUnmapViewOfSection,11_2_01962D30
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962CA0 NtQueryInformationToken,11_2_01962CA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962CC0 NtQueryVirtualMemory,11_2_01962CC0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962CF0 NtOpenProcess,11_2_01962CF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962C00 NtQueryInformationProcess,11_2_01962C00
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962C60 NtCreateKey,11_2_01962C60
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962F90 NtProtectVirtualMemory,11_2_01962F90
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962FB0 NtResumeThread,11_2_01962FB0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962FA0 NtQuerySection,11_2_01962FA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962FE0 NtCreateFile,11_2_01962FE0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962F30 NtCreateSection,11_2_01962F30
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962F60 NtCreateProcessEx,11_2_01962F60
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962E80 NtReadVirtualMemory,11_2_01962E80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962EA0 NtAdjustPrivilegesToken,11_2_01962EA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962EE0 NtQueueApcThread,11_2_01962EE0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962E30 NtWriteVirtualMemory,11_2_01962E30
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01963090 NtSetValueKey,11_2_01963090
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01963010 NtOpenDirectoryObject,11_2_01963010
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019639B0 NtGetContextThread,11_2_019639B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01963D10 NtOpenProcessToken,11_2_01963D10
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01963D70 NtOpenThread,11_2_01963D70
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9E0E00_2_05A9E0E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9C4680_2_05A9C468
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9C4780_2_05A9C478
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9D0C90_2_05A9D0C9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9D0D80_2_05A9D0D8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9E0D00_2_05A9E0D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A94D000_2_05A94D00
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A94CF00_2_05A94CF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9E8380_2_05A9E838
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9E8480_2_05A9E848
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074846080_2_07484608
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074836D00_2_074836D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074800400_2_07480040
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07480F280_2_07480F28
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748E7C80_2_0748E7C8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748E7B80_2_0748E7B8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074836C00_2_074836C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074845F90_2_074845F9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074834C00_2_074834C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074834B10_2_074834B1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074853780_2_07485378
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074853310_2_07485331
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074853880_2_07485388
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748E3820_2_0748E382
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748E3900_2_0748E390
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074832500_2_07483250
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074832600_2_07483260
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748B2900_2_0748B290
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748C1E00_2_0748C1E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074800060_2_07480006
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074830C00_2_074830C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074830B00_2_074830B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07480F170_2_07480F17
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07481E400_2_07481E40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07483E400_2_07483E40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07484E400_2_07484E40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07484E500_2_07484E50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07483E500_2_07483E50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07481E500_2_07481E50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748DE700_2_0748DE70
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07483EFB0_2_07483EFB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748DE800_2_0748DE80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_0748BD790_2_0748BD79
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07481C400_2_07481C40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07481C500_2_07481C50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07482A110_2_07482A11
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_07482A200_2_07482A20
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074839180_2_07483918
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_074839280_2_07483928
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0042E8E311_2_0042E8E3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040FA4111_2_0040FA41
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040FA4311_2_0040FA43
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040126011_2_00401260
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004023D011_2_004023D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004163EE11_2_004163EE
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004163F311_2_004163F3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040FC6311_2_0040FC63
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004014E011_2_004014E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040DCE311_2_0040DCE3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00402F5011_2_00402F50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040273011_2_00402730
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F01AA11_2_019F01AA
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E41A211_2_019E41A2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E81CC11_2_019E81CC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CA11811_2_019CA118
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192010011_2_01920100
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B815811_2_019B8158
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C200011_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E3F011_2_0193E3F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F03E611_2_019F03E6
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EA35211_2_019EA352
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B02C011_2_019B02C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D027411_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F059111_2_019F0591
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193053511_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DE4F611_2_019DE4F6
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D442011_2_019D4420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E244611_2_019E2446
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192C7C011_2_0192C7C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195475011_2_01954750
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193077011_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194C6E011_2_0194C6E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A011_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019FA9A611_2_019FA9A6
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194696211_2_01946962
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019168B811_2_019168B8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E8F011_2_0195E8F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193A84011_2_0193A840
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193284011_2_01932840
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E6BD711_2_019E6BD7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EAB4011_2_019EAB40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA8011_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01948DBF11_2_01948DBF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192ADE011_2_0192ADE0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CCD1F11_2_019CCD1F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193AD0011_2_0193AD00
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0CB511_2_019D0CB5
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920CF211_2_01920CF2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930C0011_2_01930C00
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AEFA011_2_019AEFA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01922FC811_2_01922FC8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193CFE011_2_0193CFE0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01950F3011_2_01950F30
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D2F3011_2_019D2F30
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01972F2811_2_01972F28
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A4F4011_2_019A4F40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942E9011_2_01942E90
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019ECE9311_2_019ECE93
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EEEDB11_2_019EEEDB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EEE2611_2_019EEE26
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930E5911_2_01930E59
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193B1B011_2_0193B1B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191F17211_2_0191F172
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019FB16B11_2_019FB16B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196516C11_2_0196516C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DF0CC11_2_019DF0CC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019370C011_2_019370C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E70E911_2_019E70E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EF0E011_2_019EF0E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0197739A11_2_0197739A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E132D11_2_019E132D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191D34C11_2_0191D34C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019352A011_2_019352A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194B2C011_2_0194B2C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D12ED11_2_019D12ED
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CD5B011_2_019CD5B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E757111_2_019E7571
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EF43F11_2_019EF43F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192146011_2_01921460
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EF7B011_2_019EF7B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E16CC11_2_019E16CC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0197563011_2_01975630
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C591011_2_019C5910
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193995011_2_01939950
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194B95011_2_0194B950
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019338E011_2_019338E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199D80011_2_0199D800
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194FB8011_2_0194FB80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A5BF011_2_019A5BF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196DBF911_2_0196DBF9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EFB7611_2_019EFB76
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CDAAC11_2_019CDAAC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01975AA011_2_01975AA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D1AA311_2_019D1AA3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DDAC611_2_019DDAC6
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EFA4911_2_019EFA49
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E7A4611_2_019E7A46
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A3A6C11_2_019A3A6C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194FDC011_2_0194FDC0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E1D5A11_2_019E1D5A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01933D4011_2_01933D40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E7D7311_2_019E7D73
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EFCF211_2_019EFCF2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A9C3211_2_019A9C32
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01931F9211_2_01931F92
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EFFB111_2_019EFFB1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EFF0911_2_019EFF09
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01939EB011_2_01939EB0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF36D012_2_07CF36D0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF460812_2_07CF4608
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF004012_2_07CF0040
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF0F2812_2_07CF0F28
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFE7C812_2_07CFE7C8
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFE7B812_2_07CFE7B8
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF36C012_2_07CF36C0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF45F912_2_07CF45F9
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF34C012_2_07CF34C0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF34B112_2_07CF34B1
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF538812_2_07CF5388
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFE38212_2_07CFE382
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFE39012_2_07CFE390
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF537812_2_07CF5378
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF533112_2_07CF5331
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFB29012_2_07CFB290
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF325012_2_07CF3250
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF326012_2_07CF3260
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFC1E012_2_07CFC1E0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF30C012_2_07CF30C0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF30B012_2_07CF30B0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF002312_2_07CF0023
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF0F1712_2_07CF0F17
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF3EFB12_2_07CF3EFB
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFDE8012_2_07CFDE80
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF1E4012_2_07CF1E40
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF3E4012_2_07CF3E40
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF4E4012_2_07CF4E40
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF1E5012_2_07CF1E50
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF3E5012_2_07CF3E50
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF4E5012_2_07CF4E50
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFDE7012_2_07CFDE70
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CFBD9312_2_07CFBD93
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF1C4012_2_07CF1C40
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF1C5012_2_07CF1C50
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF2A1112_2_07CF2A11
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF2A2012_2_07CF2A20
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF391812_2_07CF3918
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF392812_2_07CF3928
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCE0E012_2_07DCE0E0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DC4D0012_2_07DC4D00
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DC4CF012_2_07DC4CF0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCC47812_2_07DCC478
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCC46812_2_07DCC468
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCD0D812_2_07DCD0D8
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCE0D012_2_07DCE0D0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCD0C912_2_07DCD0C9
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCE84812_2_07DCE848
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DCE83812_2_07DCE838
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015E010018_2_015E0100
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0163600018_2_01636000
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_016702C018_2_016702C0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F053518_2_015F0535
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F077018_2_015F0770
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0161475018_2_01614750
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015EC7C018_2_015EC7C0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160C6E018_2_0160C6E0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160696218_2_01606962
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F29A018_2_015F29A0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F284018_2_015F2840
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015FA84018_2_015FA840
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0161E8F018_2_0161E8F0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015D68B818_2_015D68B8
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0162889018_2_01628890
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015EEA8018_2_015EEA80
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015FED7A18_2_015FED7A
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015FAD0018_2_015FAD00
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F8DC018_2_015F8DC0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015EADE018_2_015EADE0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01608DBF18_2_01608DBF
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F0C0018_2_015F0C00
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015E0CF218_2_015E0CF2
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01664F4018_2_01664F40
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01632F2818_2_01632F28
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01610F3018_2_01610F30
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015E2FC818_2_015E2FC8
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0166EFA018_2_0166EFA0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F0E5918_2_015F0E59
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01602E9018_2_01602E90
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0162516C18_2_0162516C
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015DF17218_2_015DF172
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015FB1B018_2_015FB1B0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015DD34C18_2_015DD34C
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F33F318_2_015F33F3
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160D2F018_2_0160D2F0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160B2C018_2_0160B2C0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F52A018_2_015F52A0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015E146018_2_015E1460
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_016374E018_2_016374E0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F349718_2_015F3497
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015FB73018_2_015FB730
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F995018_2_015F9950
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160B95018_2_0160B950
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F599018_2_015F5990
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0165D80018_2_0165D800
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F38E018_2_015F38E0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01665BF018_2_01665BF0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0162DBF918_2_0162DBF9
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160FB8018_2_0160FB80
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01663A6C18_2_01663A6C
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F3D4018_2_015F3D40
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0160FDC018_2_0160FDC0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01609C2018_2_01609C20
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_01669C3218_2_01669C32
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F1F9218_2_015F1F92
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_015F9EB018_2_015F9EB0
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: String function: 0165EA12 appears 37 times
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: String function: 01637E54 appears 97 times
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: String function: 01965130 appears 58 times
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: String function: 019AF290 appears 105 times
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: String function: 01977E54 appears 111 times
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: String function: 0199EA12 appears 86 times
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: String function: 0191B970 appears 280 times
            Source: PO#86637.exe, 00000000.00000002.1465826910.000000000A510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO#86637.exe
            Source: PO#86637.exe, 00000000.00000000.1407683939.0000000000B58000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRWnC.exe> vs PO#86637.exe
            Source: PO#86637.exe, 00000000.00000002.1429036257.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#86637.exe
            Source: PO#86637.exe, 0000000B.00000002.1584084138.0000000001A1D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#86637.exe
            Source: PO#86637.exeBinary or memory string: OriginalFilenameRWnC.exe> vs PO#86637.exe
            Source: PO#86637.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: PO#86637.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Fyepece.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, gaT0VtLolsTmIlrt70.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, gaT0VtLolsTmIlrt70.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, gaT0VtLolsTmIlrt70.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@27/15@0/0
            Source: C:\Users\user\Desktop\PO#86637.exeFile created: C:\Users\user\AppData\Roaming\Fyepece.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
            Source: C:\Users\user\Desktop\PO#86637.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7AF2.tmpJump to behavior
            Source: PO#86637.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PO#86637.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\PO#86637.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PO#86637.exeVirustotal: Detection: 24%
            Source: PO#86637.exeReversingLabs: Detection: 21%
            Source: C:\Users\user\Desktop\PO#86637.exeFile read: C:\Users\user\Desktop\PO#86637.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe C:\Users\user\AppData\Roaming\Fyepece.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\PO#86637.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: PO#86637.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO#86637.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: PO#86637.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: RWnC.pdb source: PO#86637.exe, Fyepece.exe.0.dr
            Source: Binary string: wntdll.pdbUGP source: PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO#86637.exe, PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RWnC.pdbSHA256U source: PO#86637.exe, Fyepece.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.PO#86637.exe.3ec1c20.1.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO#86637.exe.7430000.3.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_01470DF5 pushfd ; iretd 0_2_01470DF9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A97080 pushad ; ret 0_2_05A97081
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A97082 push esp; ret 0_2_05A97089
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A9FC12 push esp; ret 0_2_05A9FC19
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 0_2_05A93E78 push eax; mov dword ptr [esp], ecx0_2_05A93E7C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0041A87D push esp; retf 11_2_0041A87E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0040710D pushfd ; retf 11_2_0040710E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00423916 push esi; retf 11_2_0042392E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00423923 push esi; retf 11_2_0042392E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004031D0 push eax; ret 11_2_004031D2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00418B76 push ebx; retf 11_2_00418B77
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00423B35 push cs; retf 11_2_00423B36
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0041A3C1 push edi; retf 11_2_0041A3C7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004143E3 push edi; iretd 11_2_004143EF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00423C2F push C67CA722h; ret 11_2_00423C34
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00411DA3 push edi; iretd 11_2_00411DAF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_00424700 push ecx; retf 11_2_00424749
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004247A8 push edi; ret 11_2_004247AC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019209AD push ecx; mov dword ptr [esp], ecx11_2_019209B6
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_03120DF5 pushfd ; iretd 12_2_03120DF9
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF92E8 pushfd ; iretd 12_2_07CF92E9
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF0E8B push es; iretd 12_2_07CF0E8E
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF0E47 push 0000000Ch; iretd 12_2_07CF0E4A
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07CF0E6B push es; iretd 12_2_07CF0E72
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DC3E78 push eax; mov dword ptr [esp], ecx12_2_07DC3E7C
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DC7080 pushad ; ret 12_2_07DC7081
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_07DC7083 push esp; ret 12_2_07DC7089
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_0831364D push FFFFFF8Bh; iretd 12_2_0831364F
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 12_2_083117AA push esp; iretd 12_2_083117AD
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0162C54F push 8B015B67h; ret 18_2_0162C554
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeCode function: 18_2_0162C54D pushfd ; ret 18_2_0162C54E
            Source: PO#86637.exeStatic PE information: section name: .text entropy: 7.775931986103321
            Source: Fyepece.exe.0.drStatic PE information: section name: .text entropy: 7.775931986103321
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, aaOnasOOrmA08I2wWux.csHigh entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, mi9sax1VSksVKx3i4W.csHigh entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, fhC2YhcDAwMvSech5h.csHigh entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.csHigh entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, OXWBBDZiEOUKc1d7yd.csHigh entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, sgAmBSv3yqo7QmRnDX.csHigh entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, mDCJGi5n5IiQBlF3Di.csHigh entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, MIx6NdzWM7MNjAuofV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, bAavlCFj6heusMkO2Q.csHigh entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, gaT0VtLolsTmIlrt70.csHigh entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, E8lPECR9BGmgOhGy73.csHigh entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, ihr2IjOsiu7TSCME1ab.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, NlPEcCGpm6e5jYfj34.csHigh entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, wYLaRBisUKwyOTbCK3.csHigh entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, d2ad8ROJHVErhE8p8b9.csHigh entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, oAseWL02DMjjqFMBXR.csHigh entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, NjAYRtVR1ISG2pUfbe.csHigh entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, dDoUytHr6ppWvIHaSy.csHigh entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
            Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, ln54oQxhBJyjDrYAS1.csHigh entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, aaOnasOOrmA08I2wWux.csHigh entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, mi9sax1VSksVKx3i4W.csHigh entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, fhC2YhcDAwMvSech5h.csHigh entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.csHigh entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, OXWBBDZiEOUKc1d7yd.csHigh entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, sgAmBSv3yqo7QmRnDX.csHigh entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, mDCJGi5n5IiQBlF3Di.csHigh entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, MIx6NdzWM7MNjAuofV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, bAavlCFj6heusMkO2Q.csHigh entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, gaT0VtLolsTmIlrt70.csHigh entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, E8lPECR9BGmgOhGy73.csHigh entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, ihr2IjOsiu7TSCME1ab.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, NlPEcCGpm6e5jYfj34.csHigh entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, wYLaRBisUKwyOTbCK3.csHigh entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, d2ad8ROJHVErhE8p8b9.csHigh entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, oAseWL02DMjjqFMBXR.csHigh entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, NjAYRtVR1ISG2pUfbe.csHigh entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, dDoUytHr6ppWvIHaSy.csHigh entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
            Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, ln54oQxhBJyjDrYAS1.csHigh entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, aaOnasOOrmA08I2wWux.csHigh entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, mi9sax1VSksVKx3i4W.csHigh entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, fhC2YhcDAwMvSech5h.csHigh entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.csHigh entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, OXWBBDZiEOUKc1d7yd.csHigh entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, sgAmBSv3yqo7QmRnDX.csHigh entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, mDCJGi5n5IiQBlF3Di.csHigh entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, MIx6NdzWM7MNjAuofV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, bAavlCFj6heusMkO2Q.csHigh entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, gaT0VtLolsTmIlrt70.csHigh entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, E8lPECR9BGmgOhGy73.csHigh entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, ihr2IjOsiu7TSCME1ab.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, NlPEcCGpm6e5jYfj34.csHigh entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, wYLaRBisUKwyOTbCK3.csHigh entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, d2ad8ROJHVErhE8p8b9.csHigh entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, oAseWL02DMjjqFMBXR.csHigh entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, NjAYRtVR1ISG2pUfbe.csHigh entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, dDoUytHr6ppWvIHaSy.csHigh entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
            Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, ln54oQxhBJyjDrYAS1.csHigh entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
            Source: C:\Users\user\Desktop\PO#86637.exeFile created: C:\Users\user\AppData\Roaming\Fyepece.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: PO#86637.exe PID: 7936, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Fyepece.exe PID: 1160, type: MEMORYSTR
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 7DB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 8DB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 8F60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: 9F60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: A5A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: B5A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: C5A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: 1A00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: 7ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: 8ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: 9070000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: A070000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: A600000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory allocated: B600000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196096E rdtsc 11_2_0196096E
            Source: C:\Users\user\Desktop\PO#86637.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4214Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2784Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeAPI coverage: 0.3 %
            Source: C:\Users\user\Desktop\PO#86637.exe TID: 7956Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep count: 4214 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep count: 96 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 964Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exe TID: 7728Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exe TID: 4476Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exe TID: 3068Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO#86637.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196096E rdtsc 11_2_0196096E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_004173A3 LdrLoadDll,11_2_004173A3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]11_2_019A019F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]11_2_019A019F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]11_2_019A019F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]11_2_019A019F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]11_2_0191A197
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]11_2_0191A197
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]11_2_0191A197
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01960185 mov eax, dword ptr fs:[00000030h]11_2_01960185
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DC188 mov eax, dword ptr fs:[00000030h]11_2_019DC188
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DC188 mov eax, dword ptr fs:[00000030h]11_2_019DC188
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C4180 mov eax, dword ptr fs:[00000030h]11_2_019C4180
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C4180 mov eax, dword ptr fs:[00000030h]11_2_019C4180
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]11_2_0199E1D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]11_2_0199E1D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E1D0 mov ecx, dword ptr fs:[00000030h]11_2_0199E1D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]11_2_0199E1D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]11_2_0199E1D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E61C3 mov eax, dword ptr fs:[00000030h]11_2_019E61C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E61C3 mov eax, dword ptr fs:[00000030h]11_2_019E61C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019501F8 mov eax, dword ptr fs:[00000030h]11_2_019501F8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F61E5 mov eax, dword ptr fs:[00000030h]11_2_019F61E5
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CA118 mov ecx, dword ptr fs:[00000030h]11_2_019CA118
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]11_2_019CA118
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]11_2_019CA118
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]11_2_019CA118
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E0115 mov eax, dword ptr fs:[00000030h]11_2_019E0115
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]11_2_019CE10E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01950124 mov eax, dword ptr fs:[00000030h]11_2_01950124
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B8158 mov eax, dword ptr fs:[00000030h]11_2_019B8158
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926154 mov eax, dword ptr fs:[00000030h]11_2_01926154
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926154 mov eax, dword ptr fs:[00000030h]11_2_01926154
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191C156 mov eax, dword ptr fs:[00000030h]11_2_0191C156
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]11_2_019B4144
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]11_2_019B4144
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B4144 mov ecx, dword ptr fs:[00000030h]11_2_019B4144
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]11_2_019B4144
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]11_2_019B4144
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4164 mov eax, dword ptr fs:[00000030h]11_2_019F4164
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4164 mov eax, dword ptr fs:[00000030h]11_2_019F4164
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192208A mov eax, dword ptr fs:[00000030h]11_2_0192208A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E60B8 mov eax, dword ptr fs:[00000030h]11_2_019E60B8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E60B8 mov ecx, dword ptr fs:[00000030h]11_2_019E60B8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019180A0 mov eax, dword ptr fs:[00000030h]11_2_019180A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B80A8 mov eax, dword ptr fs:[00000030h]11_2_019B80A8
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A20DE mov eax, dword ptr fs:[00000030h]11_2_019A20DE
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191C0F0 mov eax, dword ptr fs:[00000030h]11_2_0191C0F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019620F0 mov ecx, dword ptr fs:[00000030h]11_2_019620F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191A0E3 mov ecx, dword ptr fs:[00000030h]11_2_0191A0E3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A60E0 mov eax, dword ptr fs:[00000030h]11_2_019A60E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019280E9 mov eax, dword ptr fs:[00000030h]11_2_019280E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]11_2_0193E016
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]11_2_0193E016
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]11_2_0193E016
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]11_2_0193E016
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A4000 mov ecx, dword ptr fs:[00000030h]11_2_019A4000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]11_2_019C2000
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B6030 mov eax, dword ptr fs:[00000030h]11_2_019B6030
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191A020 mov eax, dword ptr fs:[00000030h]11_2_0191A020
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191C020 mov eax, dword ptr fs:[00000030h]11_2_0191C020
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01922050 mov eax, dword ptr fs:[00000030h]11_2_01922050
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6050 mov eax, dword ptr fs:[00000030h]11_2_019A6050
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194C073 mov eax, dword ptr fs:[00000030h]11_2_0194C073
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]11_2_01918397
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]11_2_01918397
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]11_2_01918397
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]11_2_0191E388
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]11_2_0191E388
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]11_2_0191E388
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194438F mov eax, dword ptr fs:[00000030h]11_2_0194438F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194438F mov eax, dword ptr fs:[00000030h]11_2_0194438F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]11_2_019CE3DB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]11_2_019CE3DB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE3DB mov ecx, dword ptr fs:[00000030h]11_2_019CE3DB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]11_2_019CE3DB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C43D4 mov eax, dword ptr fs:[00000030h]11_2_019C43D4
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C43D4 mov eax, dword ptr fs:[00000030h]11_2_019C43D4
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DC3CD mov eax, dword ptr fs:[00000030h]11_2_019DC3CD
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]11_2_0192A3C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]11_2_0192A3C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]11_2_0192A3C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]11_2_0192A3C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]11_2_0192A3C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]11_2_0192A3C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]11_2_019283C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]11_2_019283C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]11_2_019283C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]11_2_019283C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A63C0 mov eax, dword ptr fs:[00000030h]11_2_019A63C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]11_2_0193E3F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]11_2_0193E3F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]11_2_0193E3F0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019563FF mov eax, dword ptr fs:[00000030h]11_2_019563FF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]11_2_019303E9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191C310 mov ecx, dword ptr fs:[00000030h]11_2_0191C310
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01940310 mov ecx, dword ptr fs:[00000030h]11_2_01940310
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]11_2_0195A30B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]11_2_0195A30B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]11_2_0195A30B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]11_2_019F8324
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F8324 mov ecx, dword ptr fs:[00000030h]11_2_019F8324
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]11_2_019F8324
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]11_2_019F8324
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]11_2_019A035C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]11_2_019A035C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]11_2_019A035C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A035C mov ecx, dword ptr fs:[00000030h]11_2_019A035C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]11_2_019A035C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]11_2_019A035C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EA352 mov eax, dword ptr fs:[00000030h]11_2_019EA352
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C8350 mov ecx, dword ptr fs:[00000030h]11_2_019C8350
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F634F mov eax, dword ptr fs:[00000030h]11_2_019F634F
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]11_2_019A2349
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C437C mov eax, dword ptr fs:[00000030h]11_2_019C437C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E284 mov eax, dword ptr fs:[00000030h]11_2_0195E284
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E284 mov eax, dword ptr fs:[00000030h]11_2_0195E284
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]11_2_019A0283
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]11_2_019A0283
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]11_2_019A0283
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019302A0 mov eax, dword ptr fs:[00000030h]11_2_019302A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019302A0 mov eax, dword ptr fs:[00000030h]11_2_019302A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]11_2_019B62A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B62A0 mov ecx, dword ptr fs:[00000030h]11_2_019B62A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]11_2_019B62A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]11_2_019B62A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]11_2_019B62A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]11_2_019B62A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F62D6 mov eax, dword ptr fs:[00000030h]11_2_019F62D6
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]11_2_0192A2C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]11_2_0192A2C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]11_2_0192A2C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]11_2_0192A2C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]11_2_0192A2C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]11_2_019302E1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]11_2_019302E1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]11_2_019302E1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191823B mov eax, dword ptr fs:[00000030h]11_2_0191823B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191A250 mov eax, dword ptr fs:[00000030h]11_2_0191A250
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F625D mov eax, dword ptr fs:[00000030h]11_2_019F625D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926259 mov eax, dword ptr fs:[00000030h]11_2_01926259
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DA250 mov eax, dword ptr fs:[00000030h]11_2_019DA250
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DA250 mov eax, dword ptr fs:[00000030h]11_2_019DA250
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A8243 mov eax, dword ptr fs:[00000030h]11_2_019A8243
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A8243 mov ecx, dword ptr fs:[00000030h]11_2_019A8243
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]11_2_019D0274
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]11_2_01924260
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]11_2_01924260
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]11_2_01924260
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191826B mov eax, dword ptr fs:[00000030h]11_2_0191826B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E59C mov eax, dword ptr fs:[00000030h]11_2_0195E59C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01922582 mov eax, dword ptr fs:[00000030h]11_2_01922582
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01922582 mov ecx, dword ptr fs:[00000030h]11_2_01922582
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01954588 mov eax, dword ptr fs:[00000030h]11_2_01954588
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019445B1 mov eax, dword ptr fs:[00000030h]11_2_019445B1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019445B1 mov eax, dword ptr fs:[00000030h]11_2_019445B1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]11_2_019A05A7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]11_2_019A05A7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]11_2_019A05A7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019265D0 mov eax, dword ptr fs:[00000030h]11_2_019265D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A5D0 mov eax, dword ptr fs:[00000030h]11_2_0195A5D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A5D0 mov eax, dword ptr fs:[00000030h]11_2_0195A5D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E5CF mov eax, dword ptr fs:[00000030h]11_2_0195E5CF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E5CF mov eax, dword ptr fs:[00000030h]11_2_0195E5CF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019225E0 mov eax, dword ptr fs:[00000030h]11_2_019225E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]11_2_0194E5E7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C5ED mov eax, dword ptr fs:[00000030h]11_2_0195C5ED
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C5ED mov eax, dword ptr fs:[00000030h]11_2_0195C5ED
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B6500 mov eax, dword ptr fs:[00000030h]11_2_019B6500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]11_2_019F4500
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]11_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]11_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]11_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]11_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]11_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]11_2_01930535
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]11_2_0194E53E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]11_2_0194E53E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]11_2_0194E53E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]11_2_0194E53E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]11_2_0194E53E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928550 mov eax, dword ptr fs:[00000030h]11_2_01928550
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928550 mov eax, dword ptr fs:[00000030h]11_2_01928550
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]11_2_0195656A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]11_2_0195656A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]11_2_0195656A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DA49A mov eax, dword ptr fs:[00000030h]11_2_019DA49A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019544B0 mov ecx, dword ptr fs:[00000030h]11_2_019544B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AA4B0 mov eax, dword ptr fs:[00000030h]11_2_019AA4B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019264AB mov eax, dword ptr fs:[00000030h]11_2_019264AB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019204E5 mov ecx, dword ptr fs:[00000030h]11_2_019204E5
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]11_2_01958402
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]11_2_01958402
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]11_2_01958402
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A430 mov eax, dword ptr fs:[00000030h]11_2_0195A430
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]11_2_0191E420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]11_2_0191E420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]11_2_0191E420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191C427 mov eax, dword ptr fs:[00000030h]11_2_0191C427
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]11_2_019A6420
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019DA456 mov eax, dword ptr fs:[00000030h]11_2_019DA456
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191645D mov eax, dword ptr fs:[00000030h]11_2_0191645D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194245A mov eax, dword ptr fs:[00000030h]11_2_0194245A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]11_2_0195E443
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]11_2_0194A470
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]11_2_0194A470
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]11_2_0194A470
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AC460 mov ecx, dword ptr fs:[00000030h]11_2_019AC460
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C678E mov eax, dword ptr fs:[00000030h]11_2_019C678E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019207AF mov eax, dword ptr fs:[00000030h]11_2_019207AF
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D47A0 mov eax, dword ptr fs:[00000030h]11_2_019D47A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192C7C0 mov eax, dword ptr fs:[00000030h]11_2_0192C7C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A07C3 mov eax, dword ptr fs:[00000030h]11_2_019A07C3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019247FB mov eax, dword ptr fs:[00000030h]11_2_019247FB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019247FB mov eax, dword ptr fs:[00000030h]11_2_019247FB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]11_2_019427ED
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]11_2_019427ED
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]11_2_019427ED
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AE7E1 mov eax, dword ptr fs:[00000030h]11_2_019AE7E1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920710 mov eax, dword ptr fs:[00000030h]11_2_01920710
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01950710 mov eax, dword ptr fs:[00000030h]11_2_01950710
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C700 mov eax, dword ptr fs:[00000030h]11_2_0195C700
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195273C mov eax, dword ptr fs:[00000030h]11_2_0195273C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195273C mov ecx, dword ptr fs:[00000030h]11_2_0195273C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195273C mov eax, dword ptr fs:[00000030h]11_2_0195273C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199C730 mov eax, dword ptr fs:[00000030h]11_2_0199C730
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C720 mov eax, dword ptr fs:[00000030h]11_2_0195C720
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C720 mov eax, dword ptr fs:[00000030h]11_2_0195C720
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920750 mov eax, dword ptr fs:[00000030h]11_2_01920750
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962750 mov eax, dword ptr fs:[00000030h]11_2_01962750
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962750 mov eax, dword ptr fs:[00000030h]11_2_01962750
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AE75D mov eax, dword ptr fs:[00000030h]11_2_019AE75D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A4755 mov eax, dword ptr fs:[00000030h]11_2_019A4755
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195674D mov esi, dword ptr fs:[00000030h]11_2_0195674D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195674D mov eax, dword ptr fs:[00000030h]11_2_0195674D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195674D mov eax, dword ptr fs:[00000030h]11_2_0195674D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928770 mov eax, dword ptr fs:[00000030h]11_2_01928770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]11_2_01930770
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924690 mov eax, dword ptr fs:[00000030h]11_2_01924690
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924690 mov eax, dword ptr fs:[00000030h]11_2_01924690
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019566B0 mov eax, dword ptr fs:[00000030h]11_2_019566B0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C6A6 mov eax, dword ptr fs:[00000030h]11_2_0195C6A6
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A6C7 mov ebx, dword ptr fs:[00000030h]11_2_0195A6C7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A6C7 mov eax, dword ptr fs:[00000030h]11_2_0195A6C7
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]11_2_0199E6F2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]11_2_0199E6F2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]11_2_0199E6F2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]11_2_0199E6F2
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A06F1 mov eax, dword ptr fs:[00000030h]11_2_019A06F1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A06F1 mov eax, dword ptr fs:[00000030h]11_2_019A06F1
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01962619 mov eax, dword ptr fs:[00000030h]11_2_01962619
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E609 mov eax, dword ptr fs:[00000030h]11_2_0199E609
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]11_2_0193260B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193E627 mov eax, dword ptr fs:[00000030h]11_2_0193E627
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01956620 mov eax, dword ptr fs:[00000030h]11_2_01956620
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01958620 mov eax, dword ptr fs:[00000030h]11_2_01958620
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192262C mov eax, dword ptr fs:[00000030h]11_2_0192262C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0193C640 mov eax, dword ptr fs:[00000030h]11_2_0193C640
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01952674 mov eax, dword ptr fs:[00000030h]11_2_01952674
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E866E mov eax, dword ptr fs:[00000030h]11_2_019E866E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E866E mov eax, dword ptr fs:[00000030h]11_2_019E866E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A660 mov eax, dword ptr fs:[00000030h]11_2_0195A660
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A660 mov eax, dword ptr fs:[00000030h]11_2_0195A660
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A89B3 mov esi, dword ptr fs:[00000030h]11_2_019A89B3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A89B3 mov eax, dword ptr fs:[00000030h]11_2_019A89B3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A89B3 mov eax, dword ptr fs:[00000030h]11_2_019A89B3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]11_2_019329A0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019209AD mov eax, dword ptr fs:[00000030h]11_2_019209AD
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019209AD mov eax, dword ptr fs:[00000030h]11_2_019209AD
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]11_2_0192A9D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]11_2_0192A9D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]11_2_0192A9D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]11_2_0192A9D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]11_2_0192A9D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]11_2_0192A9D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019549D0 mov eax, dword ptr fs:[00000030h]11_2_019549D0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EA9D3 mov eax, dword ptr fs:[00000030h]11_2_019EA9D3
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B69C0 mov eax, dword ptr fs:[00000030h]11_2_019B69C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019529F9 mov eax, dword ptr fs:[00000030h]11_2_019529F9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019529F9 mov eax, dword ptr fs:[00000030h]11_2_019529F9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AE9E0 mov eax, dword ptr fs:[00000030h]11_2_019AE9E0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AC912 mov eax, dword ptr fs:[00000030h]11_2_019AC912
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01918918 mov eax, dword ptr fs:[00000030h]11_2_01918918
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01918918 mov eax, dword ptr fs:[00000030h]11_2_01918918
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E908 mov eax, dword ptr fs:[00000030h]11_2_0199E908
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199E908 mov eax, dword ptr fs:[00000030h]11_2_0199E908
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A892A mov eax, dword ptr fs:[00000030h]11_2_019A892A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B892B mov eax, dword ptr fs:[00000030h]11_2_019B892B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019A0946 mov eax, dword ptr fs:[00000030h]11_2_019A0946
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4940 mov eax, dword ptr fs:[00000030h]11_2_019F4940
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C4978 mov eax, dword ptr fs:[00000030h]11_2_019C4978
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C4978 mov eax, dword ptr fs:[00000030h]11_2_019C4978
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AC97C mov eax, dword ptr fs:[00000030h]11_2_019AC97C
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]11_2_01946962
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]11_2_01946962
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]11_2_01946962
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196096E mov eax, dword ptr fs:[00000030h]11_2_0196096E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196096E mov edx, dword ptr fs:[00000030h]11_2_0196096E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0196096E mov eax, dword ptr fs:[00000030h]11_2_0196096E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AC89D mov eax, dword ptr fs:[00000030h]11_2_019AC89D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920887 mov eax, dword ptr fs:[00000030h]11_2_01920887
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194E8C0 mov eax, dword ptr fs:[00000030h]11_2_0194E8C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F08C0 mov eax, dword ptr fs:[00000030h]11_2_019F08C0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C8F9 mov eax, dword ptr fs:[00000030h]11_2_0195C8F9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195C8F9 mov eax, dword ptr fs:[00000030h]11_2_0195C8F9
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EA8E4 mov eax, dword ptr fs:[00000030h]11_2_019EA8E4
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AC810 mov eax, dword ptr fs:[00000030h]11_2_019AC810
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]11_2_01942835
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]11_2_01942835
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]11_2_01942835
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942835 mov ecx, dword ptr fs:[00000030h]11_2_01942835
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]11_2_01942835
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]11_2_01942835
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195A830 mov eax, dword ptr fs:[00000030h]11_2_0195A830
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C483A mov eax, dword ptr fs:[00000030h]11_2_019C483A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C483A mov eax, dword ptr fs:[00000030h]11_2_019C483A
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01950854 mov eax, dword ptr fs:[00000030h]11_2_01950854
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924859 mov eax, dword ptr fs:[00000030h]11_2_01924859
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01924859 mov eax, dword ptr fs:[00000030h]11_2_01924859
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01932840 mov ecx, dword ptr fs:[00000030h]11_2_01932840
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AE872 mov eax, dword ptr fs:[00000030h]11_2_019AE872
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019AE872 mov eax, dword ptr fs:[00000030h]11_2_019AE872
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B6870 mov eax, dword ptr fs:[00000030h]11_2_019B6870
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B6870 mov eax, dword ptr fs:[00000030h]11_2_019B6870
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930BBE mov eax, dword ptr fs:[00000030h]11_2_01930BBE
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01930BBE mov eax, dword ptr fs:[00000030h]11_2_01930BBE
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D4BB0 mov eax, dword ptr fs:[00000030h]11_2_019D4BB0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D4BB0 mov eax, dword ptr fs:[00000030h]11_2_019D4BB0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CEBD0 mov eax, dword ptr fs:[00000030h]11_2_019CEBD0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]11_2_01940BCB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]11_2_01940BCB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]11_2_01940BCB
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]11_2_01920BCD
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]11_2_01920BCD
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]11_2_01920BCD
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]11_2_01928BF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]11_2_01928BF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]11_2_01928BF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194EBFC mov eax, dword ptr fs:[00000030h]11_2_0194EBFC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019ACBF0 mov eax, dword ptr fs:[00000030h]11_2_019ACBF0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]11_2_0199EB1D
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4B00 mov eax, dword ptr fs:[00000030h]11_2_019F4B00
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194EB20 mov eax, dword ptr fs:[00000030h]11_2_0194EB20
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194EB20 mov eax, dword ptr fs:[00000030h]11_2_0194EB20
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E8B28 mov eax, dword ptr fs:[00000030h]11_2_019E8B28
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019E8B28 mov eax, dword ptr fs:[00000030h]11_2_019E8B28
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01918B50 mov eax, dword ptr fs:[00000030h]11_2_01918B50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]11_2_019F2B57
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]11_2_019F2B57
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]11_2_019F2B57
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]11_2_019F2B57
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019CEB50 mov eax, dword ptr fs:[00000030h]11_2_019CEB50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D4B4B mov eax, dword ptr fs:[00000030h]11_2_019D4B4B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019D4B4B mov eax, dword ptr fs:[00000030h]11_2_019D4B4B
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B6B40 mov eax, dword ptr fs:[00000030h]11_2_019B6B40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019B6B40 mov eax, dword ptr fs:[00000030h]11_2_019B6B40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019EAB40 mov eax, dword ptr fs:[00000030h]11_2_019EAB40
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019C8B42 mov eax, dword ptr fs:[00000030h]11_2_019C8B42
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0191CB7E mov eax, dword ptr fs:[00000030h]11_2_0191CB7E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01958A90 mov edx, dword ptr fs:[00000030h]11_2_01958A90
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]11_2_0192EA80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019F4A80 mov eax, dword ptr fs:[00000030h]11_2_019F4A80
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928AA0 mov eax, dword ptr fs:[00000030h]11_2_01928AA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01928AA0 mov eax, dword ptr fs:[00000030h]11_2_01928AA0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01976AA4 mov eax, dword ptr fs:[00000030h]11_2_01976AA4
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01920AD0 mov eax, dword ptr fs:[00000030h]11_2_01920AD0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01954AD0 mov eax, dword ptr fs:[00000030h]11_2_01954AD0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01954AD0 mov eax, dword ptr fs:[00000030h]11_2_01954AD0
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]11_2_01976ACC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]11_2_01976ACC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]11_2_01976ACC
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195AAEE mov eax, dword ptr fs:[00000030h]11_2_0195AAEE
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195AAEE mov eax, dword ptr fs:[00000030h]11_2_0195AAEE
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_019ACA11 mov eax, dword ptr fs:[00000030h]11_2_019ACA11
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01944A35 mov eax, dword ptr fs:[00000030h]11_2_01944A35
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01944A35 mov eax, dword ptr fs:[00000030h]11_2_01944A35
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195CA38 mov eax, dword ptr fs:[00000030h]11_2_0195CA38
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0195CA24 mov eax, dword ptr fs:[00000030h]11_2_0195CA24
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_0194EA2E mov eax, dword ptr fs:[00000030h]11_2_0194EA2E
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]11_2_01926A50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]11_2_01926A50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]11_2_01926A50
            Source: C:\Users\user\Desktop\PO#86637.exeCode function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]11_2_01926A50
            Source: C:\Users\user\Desktop\PO#86637.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\PO#86637.exeMemory written: C:\Users\user\Desktop\PO#86637.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeMemory written: C:\Users\user\AppData\Roaming\Fyepece.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeProcess created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeProcess created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeQueries volume information: C:\Users\user\Desktop\PO#86637.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeQueries volume information: C:\Users\user\AppData\Roaming\Fyepece.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Fyepece.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO#86637.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping12
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522678 Sample: PO#86637.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 7 other signatures 2->54 7 PO#86637.exe 7 2->7         started        11 Fyepece.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\Roaming\Fyepece.exe, PE32 7->40 dropped 42 C:\Users\user\...\Fyepece.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp7AF2.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\PO#86637.exe.log, CSV 7->46 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 7->56 58 Adds a directory exclusion to Windows Defender 7->58 60 Injects a PE file into a foreign processes 7->60 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        28 3 other processes 7->28 62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 20 schtasks.exe 1 11->20         started        22 Fyepece.exe 11->22         started        24 Fyepece.exe 11->24         started        26 Fyepece.exe 11->26         started        signatures5 process6 signatures7 66 Loading BitLocker PowerShell Module 13->66 30 conhost.exe 13->30         started        32 WmiPrvSE.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO#86637.exe25%VirustotalBrowse
            PO#86637.exe21%ReversingLabs
            PO#86637.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Fyepece.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Fyepece.exe21%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO#86637.exe, 00000000.00000002.1430741996.0000000003144000.00000004.00000800.00020000.00000000.sdmp, Fyepece.exe, 0000000C.00000002.1561312955.000000000339D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1522678
            Start date and time:2024-09-30 15:19:12 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:25
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:PO#86637.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@27/15@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 217
            • Number of non-executed functions: 302
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:20:07API Interceptor4x Sleep call for process: PO#86637.exe modified
            09:20:09API Interceptor43x Sleep call for process: powershell.exe modified
            09:20:14API Interceptor4x Sleep call for process: Fyepece.exe modified
            15:20:10Task SchedulerRun new task: Fyepece path: C:\Users\user\AppData\Roaming\Fyepece.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fyepece.exe.log

            Download File
            Process:C:\Users\user\AppData\Roaming\Fyepece.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):1968
            Entropy (8bit):5.345338934370444
            Encrypted:false
            SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwRb
            MD5:A6AE821E85EB04F10E67C9D65E129C47
            SHA1:8B3295F40A2F7DCA294DE5502CFE6A751239DB2C
            SHA-256:BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
            SHA-512:22E2404E8D989DC1F58B209B48A2BD0AFFA0E19B09100C3FD8417A8A23EBA109A36AF7031CAE33F8FF5BD798F01F81ACA129D90801B34A9607C2D62A63C643DD
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#86637.exe.log

            Download File
            Process:C:\Users\user\Desktop\PO#86637.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):1968
            Entropy (8bit):5.345338934370444
            Encrypted:false
            SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwRb
            MD5:A6AE821E85EB04F10E67C9D65E129C47
            SHA1:8B3295F40A2F7DCA294DE5502CFE6A751239DB2C
            SHA-256:BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
            SHA-512:22E2404E8D989DC1F58B209B48A2BD0AFFA0E19B09100C3FD8417A8A23EBA109A36AF7031CAE33F8FF5BD798F01F81ACA129D90801B34A9607C2D62A63C643DD
            Malicious:true
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.379460230152629
            Encrypted:false
            SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
            MD5:4DC84D28CF28EAE82806A5390E5721C8
            SHA1:66B6385EB104A782AD3737F2C302DEC0231ADEA2
            SHA-256:1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
            SHA-512:E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
            Malicious:false
            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zh2ec0p.2tx.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2l42hrkm.5di.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gug4f3b2.1io.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kihdwwr2.d4p.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ll4ia3nd.xnu.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocdxhmix.ws1.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdfpjben.qaz.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmefsfy0.5ii.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp

            Download File
            Process:C:\Users\user\Desktop\PO#86637.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1580
            Entropy (8bit):5.10188821617794
            Encrypted:false
            SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtQxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTgv
            MD5:9FA013C7CF188E7ECE29C73E88FB167D
            SHA1:698F5094ED5BF5533C1E42EAA2A40D0B29AC2EC7
            SHA-256:7A57B0943F094B4FADB8000D562BF87A354DC09E8D18FD69FB9DDDB41FE46E29
            SHA-512:55A6A6068B2A2211A30D2269C03937C1BE854CB9C71B96D94412D4E551F7C69BB7EC0F364C014AB20C8BE8047183C5903E5AFF83E5F011EA97B7C755D4958098
            Malicious:true
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

            C:\Users\user\AppData\Local\Temp\tmp958F.tmp

            Download File
            Process:C:\Users\user\AppData\Roaming\Fyepece.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1580
            Entropy (8bit):5.10188821617794
            Encrypted:false
            SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtQxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTgv
            MD5:9FA013C7CF188E7ECE29C73E88FB167D
            SHA1:698F5094ED5BF5533C1E42EAA2A40D0B29AC2EC7
            SHA-256:7A57B0943F094B4FADB8000D562BF87A354DC09E8D18FD69FB9DDDB41FE46E29
            SHA-512:55A6A6068B2A2211A30D2269C03937C1BE854CB9C71B96D94412D4E551F7C69BB7EC0F364C014AB20C8BE8047183C5903E5AFF83E5F011EA97B7C755D4958098
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

            C:\Users\user\AppData\Roaming\Fyepece.exe

            Download File
            Process:C:\Users\user\Desktop\PO#86637.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):821248
            Entropy (8bit):7.759148578585611
            Encrypted:false
            SSDEEP:24576:MUxLe6BK3xGHtCZk7QZKUlDyd3kiGJUnaFT:tCIC67B2yFkiGJU2
            MD5:C38FE2B4F5B0EBD3333A88FD42752F63
            SHA1:16DB98340DAC46D1ED93B119D165AAA5521D631C
            SHA-256:3850DA992CB6CA0CD6BCAAFD65BAEEE9F420C3F878CF0AA6FC47FC5472E395CC
            SHA-512:B420EF747425713401781620927AF406887960F81ACC4AC4D98D346113722F337810CBF5B35DBDC2EA0A968167AD70B4C6253413ADBB404D5CE3D417B32EF8CA
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 21%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..P...0.......m... ........@.. ....................................@..................................m..O........$..........................XY..T............................................ ............... ..H............text....M... ...P.................. ..`.rsrc....$.......(...X..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Roaming\Fyepece.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\PO#86637.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.759148578585611
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:PO#86637.exe
            File size:821'248 bytes
            MD5:c38fe2b4f5b0ebd3333a88fd42752f63
            SHA1:16db98340dac46d1ed93b119d165aaa5521d631c
            SHA256:3850da992cb6ca0cd6bcaafd65baeee9f420c3f878cf0aa6fc47fc5472e395cc
            SHA512:b420ef747425713401781620927af406887960f81acc4ac4d98d346113722f337810cbf5b35dbdc2ea0a968167ad70b4c6253413adbb404d5ce3d417b32ef8ca
            SSDEEP:24576:MUxLe6BK3xGHtCZk7QZKUlDyd3kiGJUnaFT:tCIC67B2yFkiGJU2
            TLSH:1205E0D03F2AB31ADE655834D52ADEB552B81E78B000BAF269DD3B4B75DC111AE0CF41
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..P...0.......m... ........@.. ....................................@................................

            File Icon

            Icon Hash:07232160d4603107

            Static PE Info

            General

            Entrypoint:0x4c6de2
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66FA03FD [Mon Sep 30 01:50:53 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc6d8d0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x2484.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xc59580x54.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xc4de80xc5000507f8ef53ba97c26993f3cb3219d978bFalse0.8863382871986041data7.775931986103321IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xc80000x24840x28007c1d3a0c67fce0aeb941e249d912e5fdFalse0.84150390625data7.244994054492327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xcc0000xc0x8009ad24c7c41609438d13a700ce4507b0dFalse0.015625data0.02939680787012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc80c80x2028PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9876093294460642
            RT_GROUP_ICON0xca1000x14data1.05
            RT_VERSION0xca1240x35cdata0.41511627906976745

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:09:20:06
            Start date:30/09/2024
            Path:C:\Users\user\Desktop\PO#86637.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PO#86637.exe"
            Imagebase:0xa90000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
            Imagebase:0x30000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
            Imagebase:0x30000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"
            Imagebase:0xfb0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Users\user\Desktop\PO#86637.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\PO#86637.exe"
            Imagebase:0x3c0000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:10
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Users\user\Desktop\PO#86637.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\PO#86637.exe"
            Imagebase:0x410000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:11
            Start time:09:20:08
            Start date:30/09/2024
            Path:C:\Users\user\Desktop\PO#86637.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PO#86637.exe"
            Imagebase:0xdb0000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:12
            Start time:09:20:11
            Start date:30/09/2024
            Path:C:\Users\user\AppData\Roaming\Fyepece.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\Fyepece.exe
            Imagebase:0xf90000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 21%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:13
            Start time:09:20:12
            Start date:30/09/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff605670000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:14
            Start time:09:20:15
            Start date:30/09/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"
            Imagebase:0xfb0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:15
            Start time:09:20:15
            Start date:30/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:16
            Start time:09:20:15
            Start date:30/09/2024
            Path:C:\Users\user\AppData\Roaming\Fyepece.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Roaming\Fyepece.exe"
            Imagebase:0x200000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:17
            Start time:09:20:15
            Start date:30/09/2024
            Path:C:\Users\user\AppData\Roaming\Fyepece.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Roaming\Fyepece.exe"
            Imagebase:0x140000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:18
            Start time:09:20:15
            Start date:30/09/2024
            Path:C:\Users\user\AppData\Roaming\Fyepece.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Roaming\Fyepece.exe"
            Imagebase:0xb80000
            File size:821'248 bytes
            MD5 hash:C38FE2B4F5B0EBD3333A88FD42752F63
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:7.2%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:60
              Total number of Limit Nodes:0
              execution_graph 34053 748ef48 34054 748efd1 CreateProcessA 34053->34054 34056 748f193 34054->34056 34122 748e2b8 34123 748e2fd Wow64SetThreadContext 34122->34123 34125 748e345 34123->34125 34065 5a994f8 34068 5a98bd4 34065->34068 34067 5a99517 34069 5a98bdf 34068->34069 34073 1478fd0 34069->34073 34077 1475ef0 34069->34077 34070 5a9959c 34070->34067 34074 1478fd5 34073->34074 34075 1478fa7 34074->34075 34081 147b740 34074->34081 34075->34070 34078 1475efb 34077->34078 34079 1478fa7 34078->34079 34080 147b740 GetModuleHandleW 34078->34080 34079->34070 34080->34079 34082 147b745 34081->34082 34086 147b769 34082->34086 34090 147b778 34082->34090 34083 147b756 34083->34075 34087 147b778 34086->34087 34093 147b86a 34087->34093 34088 147b787 34088->34083 34092 147b86a GetModuleHandleW 34090->34092 34091 147b787 34091->34083 34092->34091 34094 147b8a4 34093->34094 34095 147b881 34093->34095 34094->34088 34095->34094 34096 147baa8 GetModuleHandleW 34095->34096 34097 147bad5 34096->34097 34097->34088 34057 748ec00 34058 748ec40 VirtualAllocEx 34057->34058 34060 748ec7d 34058->34060 34061 748ecc0 34062 748ed08 WriteProcessMemory 34061->34062 34064 748ed5f 34062->34064 34098 748ddd0 34099 748de10 ResumeThread 34098->34099 34101 748de41 34099->34101 34126 748edb0 34127 748edfb ReadProcessMemory 34126->34127 34129 748ee3f 34127->34129 34102 1475998 34103 14759a9 34102->34103 34106 147556c 34103->34106 34105 14759b2 34107 1475577 34106->34107 34110 1475818 34107->34110 34109 1475b79 34109->34105 34111 1475823 34110->34111 34114 1475948 34111->34114 34113 1475e4d 34113->34109 34115 1475953 34114->34115 34118 1475ec0 34115->34118 34117 147632a 34117->34113 34119 1475ecb 34118->34119 34120 1475ef0 GetModuleHandleW 34119->34120 34121 1476434 34120->34121 34121->34117

              Executed Functions

              Function 07480F28 Relevance: .3, Instructions: 296COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6d3af46797cf9bd14cdc73c936a4cf73f9ed9c673f8852a3d09d50329eadbef
              • Instruction ID: 42c51af1762133541c4027848978b3f40ba3f2bf8ed157120451b026deddad9b
              • Opcode Fuzzy Hash: c6d3af46797cf9bd14cdc73c936a4cf73f9ed9c673f8852a3d09d50329eadbef
              • Instruction Fuzzy Hash: B4D105B4E2020ADFDB94DFA9C5818EEFBB2FF89300F54855AD515AB224C7349942CF90
              Function 07480F17 Relevance: .3, Instructions: 295COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 938404e1138bba4b0114baecec4737742270de1723f0a6a727c0efb270e49894
              • Instruction ID: a830260abe48e5cd937d1c9c9114dbc8be9407637a712bdc08c98e6a7c138c16
              • Opcode Fuzzy Hash: 938404e1138bba4b0114baecec4737742270de1723f0a6a727c0efb270e49894
              • Instruction Fuzzy Hash: C1D106B4E2420ACFCB54DFA9C5818EEFBB2FF89200F54C55AD515AB224D7349A46CF90
              Function 074845F9 Relevance: .2, Instructions: 194COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce7936ea16ad33e11d93001bf8b9d1d5e5779866b176b75ab205743ec4af5689
              • Instruction ID: 35af24a5e85ad133c0ba62807860b849895be84dfa92fe83111a6efcb035279d
              • Opcode Fuzzy Hash: ce7936ea16ad33e11d93001bf8b9d1d5e5779866b176b75ab205743ec4af5689
              • Instruction Fuzzy Hash: 9981F5B5E1524EDFCB44CFAAD8849EEFBB2FB89310F14842AE415A7264D7349942CF40
              Function 05A9E0D0 Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b064ad81fa3489574c8e8be401f6b3efa4adab25063564a29e34ff8e8a7415b9
              • Instruction ID: 949d3cac8d8e5b9ae6a4bff84e779631bfb52628319a3758a6bd103e9b1eddd2
              • Opcode Fuzzy Hash: b064ad81fa3489574c8e8be401f6b3efa4adab25063564a29e34ff8e8a7415b9
              • Instruction Fuzzy Hash: 7781A174E016198FDF08CFAAC984AAEBBF2BF88300F24912AD515BB365DB345945CF54
              Function 05A9E0E0 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8fea83914117089c7fcdd309e5317181880086435bc2d35b2be4b50f90dbaff
              • Instruction ID: af30ede11fd4eb3066c0bfdd6d283cf1dba09d7701a414bfc67577bf9670ae38
              • Opcode Fuzzy Hash: e8fea83914117089c7fcdd309e5317181880086435bc2d35b2be4b50f90dbaff
              • Instruction Fuzzy Hash: DE819F74E012198FDF08CFAAC984AAEFBF2BF88300F24812AD515AB365DB345905CF54
              Function 07484608 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4f8a83b7af07d1090ba199a7e3690379f8df3fec4d1a3ac8bd1aacfbea624d9
              • Instruction ID: b358d260cbad22947c76c8b57c92dccc815b70ab7e1f9db8b2c008d7a55676ac
              • Opcode Fuzzy Hash: a4f8a83b7af07d1090ba199a7e3690379f8df3fec4d1a3ac8bd1aacfbea624d9
              • Instruction Fuzzy Hash: 9571D1B4D1524EDFCB48CFAAD5849DEFBB2FB89310F10842AE515AB264D7349942CF40
              Function 074836C0 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 366e1d093c03f43a607c58d821de68f0c0b94947cb18efa9a7e954505b33c185
              • Instruction ID: 1673a11229dceaba67bfaa23eb73723ff1b46b7a672eb6b0ed9061fcb8e0d96b
              • Opcode Fuzzy Hash: 366e1d093c03f43a607c58d821de68f0c0b94947cb18efa9a7e954505b33c185
              • Instruction Fuzzy Hash: 435118B5E1420AAFDB44CFA5D8455EEFBF2FB8A300F00952AE415E7254DB349902CF54
              Function 074836D0 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 00bbe02bb14f6d69cdc1e429b32fdd1a441dea8073bda10bd805a4c40b027e16
              • Instruction ID: 2754439041f5905bc1838eeaf463d80e66821c8f7b315c92c5b92e236145ec7b
              • Opcode Fuzzy Hash: 00bbe02bb14f6d69cdc1e429b32fdd1a441dea8073bda10bd805a4c40b027e16
              • Instruction Fuzzy Hash: 985115B5E1420EAFCB48DFA5D9455AEFBF2FB8A300F00D42AE415E7254DB3899028F54
              Function 07480006 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 020177e89a971b846e2dbe2c4e15ff89edf35bfb459652913a039a0b37c1fb57
              • Instruction ID: f050d0b46767206edc97c05a3b9155ea0d55603293f538dedd38b56dfaf689fe
              • Opcode Fuzzy Hash: 020177e89a971b846e2dbe2c4e15ff89edf35bfb459652913a039a0b37c1fb57
              • Instruction Fuzzy Hash: 5D314F71D057888FDB4ACFA6D8543DEBFB2AF86310F18C0ABD404AB265D774094ACB50
              Function 07480040 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e11ff7b387b6d1b221200bce50843ec143768481a2430536a9e9b167aa57fa9e
              • Instruction ID: 30e40f510bc9abfb248ee5dec6a545491885ae328ea6c1b13528893ecfea806d
              • Opcode Fuzzy Hash: e11ff7b387b6d1b221200bce50843ec143768481a2430536a9e9b167aa57fa9e
              • Instruction Fuzzy Hash: 1021F6B1E006188BEB58CF9BD9443DEFBB2AFC9310F14C06AD408A6264DB75194ACF50
              Function 0748EF3E Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 748ef3e-748efdd 3 748efdf-748efe9 0->3 4 748f016-748f036 0->4 3->4 5 748efeb-748efed 3->5 11 748f038-748f042 4->11 12 748f06f-748f09e 4->12 6 748efef-748eff9 5->6 7 748f010-748f013 5->7 9 748effb 6->9 10 748effd-748f00c 6->10 7->4 9->10 10->10 13 748f00e 10->13 11->12 14 748f044-748f046 11->14 18 748f0a0-748f0aa 12->18 19 748f0d7-748f191 CreateProcessA 12->19 13->7 16 748f048-748f052 14->16 17 748f069-748f06c 14->17 20 748f054 16->20 21 748f056-748f065 16->21 17->12 18->19 22 748f0ac-748f0ae 18->22 32 748f19a-748f220 19->32 33 748f193-748f199 19->33 20->21 21->21 23 748f067 21->23 24 748f0b0-748f0ba 22->24 25 748f0d1-748f0d4 22->25 23->17 27 748f0bc 24->27 28 748f0be-748f0cd 24->28 25->19 27->28 28->28 29 748f0cf 28->29 29->25 43 748f230-748f234 32->43 44 748f222-748f226 32->44 33->32 46 748f244-748f248 43->46 47 748f236-748f23a 43->47 44->43 45 748f228 44->45 45->43 49 748f258-748f25c 46->49 50 748f24a-748f24e 46->50 47->46 48 748f23c 47->48 48->46 51 748f26e-748f275 49->51 52 748f25e-748f264 49->52 50->49 53 748f250 50->53 54 748f28c 51->54 55 748f277-748f286 51->55 52->51 53->49 57 748f28d 54->57 55->54 57->57
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0748F17E
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 1985d33cd4ef1854923e6553c0868d73c26e0a38c6f6ed807c288177ef240bd6
              • Instruction ID: 49ef474bac53278bab39ccba8840b6d26f9c58c92a421d3b62745150700218d9
              • Opcode Fuzzy Hash: 1985d33cd4ef1854923e6553c0868d73c26e0a38c6f6ed807c288177ef240bd6
              • Instruction Fuzzy Hash: 2BA16DB1D0021EDFEB50DFA8C841BDEBBB2BF49314F14856AE818A7240DB759985CF91
              Function 0748EF48 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 58 748ef48-748efdd 60 748efdf-748efe9 58->60 61 748f016-748f036 58->61 60->61 62 748efeb-748efed 60->62 68 748f038-748f042 61->68 69 748f06f-748f09e 61->69 63 748efef-748eff9 62->63 64 748f010-748f013 62->64 66 748effb 63->66 67 748effd-748f00c 63->67 64->61 66->67 67->67 70 748f00e 67->70 68->69 71 748f044-748f046 68->71 75 748f0a0-748f0aa 69->75 76 748f0d7-748f191 CreateProcessA 69->76 70->64 73 748f048-748f052 71->73 74 748f069-748f06c 71->74 77 748f054 73->77 78 748f056-748f065 73->78 74->69 75->76 79 748f0ac-748f0ae 75->79 89 748f19a-748f220 76->89 90 748f193-748f199 76->90 77->78 78->78 80 748f067 78->80 81 748f0b0-748f0ba 79->81 82 748f0d1-748f0d4 79->82 80->74 84 748f0bc 81->84 85 748f0be-748f0cd 81->85 82->76 84->85 85->85 86 748f0cf 85->86 86->82 100 748f230-748f234 89->100 101 748f222-748f226 89->101 90->89 103 748f244-748f248 100->103 104 748f236-748f23a 100->104 101->100 102 748f228 101->102 102->100 106 748f258-748f25c 103->106 107 748f24a-748f24e 103->107 104->103 105 748f23c 104->105 105->103 108 748f26e-748f275 106->108 109 748f25e-748f264 106->109 107->106 110 748f250 107->110 111 748f28c 108->111 112 748f277-748f286 108->112 109->108 110->106 114 748f28d 111->114 112->111 114->114
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0748F17E
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 98a9a523877d2b32f1975746e4f936cd17b1f02527e73ef7382b9ba05d3c12dd
              • Instruction ID: 31861a690d1081ada69787c32a0a2a0eca881fc92446190675baa62adf7b156b
              • Opcode Fuzzy Hash: 98a9a523877d2b32f1975746e4f936cd17b1f02527e73ef7382b9ba05d3c12dd
              • Instruction Fuzzy Hash: BF915BB1D0021ECFEB50DFA8C841BDEBBB2BF49314F14856AD818A7240DB759985CF91
              Function 0147B86A Relevance: 1.7, APIs: 1, Instructions: 201COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 115 147b86a-147b87f 116 147b881-147b88e call 147b27c 115->116 117 147b8ab-147b8af 115->117 124 147b8a4 116->124 125 147b890 116->125 119 147b8c3-147b904 117->119 120 147b8b1-147b8bb 117->120 126 147b906-147b90e 119->126 127 147b911-147b91f 119->127 120->119 124->117 173 147b896 call 147bb08 125->173 174 147b896 call 147baf8 125->174 126->127 128 147b943-147b945 127->128 129 147b921-147b926 127->129 134 147b948-147b94f 128->134 131 147b931 129->131 132 147b928-147b92f call 147b288 129->132 130 147b89c-147b89e 130->124 133 147b9e0-147baa0 130->133 136 147b933-147b941 131->136 132->136 166 147baa2-147baa5 133->166 167 147baa8-147bad3 GetModuleHandleW 133->167 137 147b951-147b959 134->137 138 147b95c-147b963 134->138 136->134 137->138 139 147b965-147b96d 138->139 140 147b970-147b979 call 147b298 138->140 139->140 146 147b986-147b98b 140->146 147 147b97b-147b983 140->147 148 147b98d-147b994 146->148 149 147b9a9-147b9ad 146->149 147->146 148->149 151 147b996-147b9a6 call 147b2a8 call 147b2b8 148->151 171 147b9b0 call 147bdd8 149->171 172 147b9b0 call 147bde8 149->172 151->149 154 147b9b3-147b9b6 155 147b9d9-147b9df 154->155 156 147b9b8-147b9d6 154->156 156->155 166->167 168 147bad5-147badb 167->168 169 147badc-147baf0 167->169 168->169 171->154 172->154 173->130 174->130
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0147BAC6
              Memory Dump Source
              • Source File: 00000000.00000002.1430111785.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1470000_PO#86637.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 7d5a3b33738302006fd13df8aa7cccac9dbee4fdf0cff30f5400f456a5c0f53a
              • Instruction ID: 823f28cc6d05ceb18fcf4eb7dd801065cdd78539a6e521a304fc5082435a2401
              • Opcode Fuzzy Hash: 7d5a3b33738302006fd13df8aa7cccac9dbee4fdf0cff30f5400f456a5c0f53a
              • Instruction Fuzzy Hash: 7F710470A00B058FD725DF2AD44579ABBF1FF88200F048A2ED49ADBB60DB75E805CB91
              Function 0748ECB8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 175 748ecb8-748ed0e 178 748ed1e-748ed5d WriteProcessMemory 175->178 179 748ed10-748ed1c 175->179 181 748ed5f-748ed65 178->181 182 748ed66-748ed96 178->182 179->178 181->182
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0748ED50
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 8b0d6bfbad333a6085e96b67420e2ef8f558036cefbcf2bb2f51cb4b27f58943
              • Instruction ID: 7835ce1c121444e1cd45c53bb498a2f644f3c7b92973ed7854a35c9e49a22f63
              • Opcode Fuzzy Hash: 8b0d6bfbad333a6085e96b67420e2ef8f558036cefbcf2bb2f51cb4b27f58943
              • Instruction Fuzzy Hash: 532128B590035A9FDB10DFA9C881BDEBBF5BF48310F14842AE928A7240C7759554DBA0
              Function 0748ECC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 186 748ecc0-748ed0e 188 748ed1e-748ed5d WriteProcessMemory 186->188 189 748ed10-748ed1c 186->189 191 748ed5f-748ed65 188->191 192 748ed66-748ed96 188->192 189->188 191->192
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0748ED50
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 7dfb63a04bd20303308f477df1314152e3598e38718f9bddbad02e2bb1ca91da
              • Instruction ID: 05ac537a9fe2d0021ff8336ae87fca5e8182e0d416cd80f6f6d349badd77c2e9
              • Opcode Fuzzy Hash: 7dfb63a04bd20303308f477df1314152e3598e38718f9bddbad02e2bb1ca91da
              • Instruction Fuzzy Hash: 632128B590035E9FDB10DFA9C881BDEBBF5FF48310F14842AE929A7240C7799554DBA0
              Function 0748E2B2 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 196 748e2b2-748e303 199 748e313-748e316 196->199 200 748e305-748e311 196->200 201 748e31d-748e343 Wow64SetThreadContext 199->201 200->199 202 748e34c-748e37c 201->202 203 748e345-748e34b 201->203 203->202
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0748E336
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: d7c34b48526d0f789726be93b8db454e942e2d25036c7fe10a15c13c5f841855
              • Instruction ID: c039ce2d7d4efc3d712b3813e1a0980cc1335357c57d971151e1abb3b65173f0
              • Opcode Fuzzy Hash: d7c34b48526d0f789726be93b8db454e942e2d25036c7fe10a15c13c5f841855
              • Instruction Fuzzy Hash: DB2137B19003199FDB10DFAAC485BEEBBF4EF88624F14842ED459A7240DB789945CFA1
              Function 0748EDA8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 207 748eda8-748ee3d ReadProcessMemory 211 748ee3f-748ee45 207->211 212 748ee46-748ee76 207->212 211->212
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0748EE30
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: d97691050c881ce5faac77994e627f74b8ce146c19e6ec04f434935232e4744e
              • Instruction ID: 10288bd204b2de091b64ac4de1099eccc484cbfa04e87e97ed52f51364b0f860
              • Opcode Fuzzy Hash: d97691050c881ce5faac77994e627f74b8ce146c19e6ec04f434935232e4744e
              • Instruction Fuzzy Hash: 972105B180035D9FDB10DFAAC881BEEBBF5FF48320F50842AE558A7240D7799945DBA1
              Function 0748E2B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 216 748e2b8-748e303 218 748e313-748e343 Wow64SetThreadContext 216->218 219 748e305-748e311 216->219 221 748e34c-748e37c 218->221 222 748e345-748e34b 218->222 219->218 222->221
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0748E336
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 11ea58a4b885bdc0fe7dfdb62b5060abd1b549f764a149abe2cc32dfa66a1ccc
              • Instruction ID: edab671c03f76bae9d1461a12dd8c512b26b3b6c2380b99e0b5f70783d402cc4
              • Opcode Fuzzy Hash: 11ea58a4b885bdc0fe7dfdb62b5060abd1b549f764a149abe2cc32dfa66a1ccc
              • Instruction Fuzzy Hash: A42138B19003098FDB10DFAAC4857EEBBF4AF88620F14842AD459A7240CB789944CFA0
              Function 0748EDB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 226 748edb0-748ee3d ReadProcessMemory 229 748ee3f-748ee45 226->229 230 748ee46-748ee76 226->230 229->230
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0748EE30
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 2cd37e83f61cbee86e8d672299bdb2db6fd60d216febbb2a682d5de2f109ab8d
              • Instruction ID: 52df91f0f140715d5e2761cfd9811e9f193c4823c9b439e6f21d7f14ef6d02f5
              • Opcode Fuzzy Hash: 2cd37e83f61cbee86e8d672299bdb2db6fd60d216febbb2a682d5de2f109ab8d
              • Instruction Fuzzy Hash: 9B2116B180035D9FDB10DFAAC881BEEBBF5FF48310F50842AE558A7240C7799500DBA0
              Function 0748EBF8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 234 748ebf8-748ec43 237 748ec4a-748ec7b VirtualAllocEx 234->237 238 748ec7d-748ec83 237->238 239 748ec84-748eca9 237->239 238->239
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0748EC6E
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: a7dcb54cd0e14c95459073593fd5f2aa16599d0df86584d41ad0b9829519b8b1
              • Instruction ID: 1d3ccc3415c4038cda50f2f2790ecb6dbd06501acf9c4896bd7294d253ec3d25
              • Opcode Fuzzy Hash: a7dcb54cd0e14c95459073593fd5f2aa16599d0df86584d41ad0b9829519b8b1
              • Instruction Fuzzy Hash: C611677680034D9FDB20DFAAC841BDFBBF5AB88320F10881AE519A7250CB759540DFA1
              Function 0748DDC8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 243 748ddc8-748de3f ResumeThread 247 748de48-748de6d 243->247 248 748de41-748de47 243->248 248->247
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 41e3cf3042d4b9ca97bab1e190752b6249db783faecc7e0eef57d10f21ea862c
              • Instruction ID: 9ae319e6401a0d5d6268e7d5dc0d1391073dd629269d167ae84ff9ad704c9457
              • Opcode Fuzzy Hash: 41e3cf3042d4b9ca97bab1e190752b6249db783faecc7e0eef57d10f21ea862c
              • Instruction Fuzzy Hash: AC1146B19003498FDB24DFAAC4457EEFBF5AF88620F24881AD419A7640CB75A941CFA1
              Function 0748EC00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 252 748ec00-748ec7b VirtualAllocEx 255 748ec7d-748ec83 252->255 256 748ec84-748eca9 252->256 255->256
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0748EC6E
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 79a522d40904389238d960f2c21be6fbd54d2d6d77d88d1221c9628bd14512ba
              • Instruction ID: 40b76d051413b35369e914abd6a479ed032527a52908af22b5e73587ede9e41f
              • Opcode Fuzzy Hash: 79a522d40904389238d960f2c21be6fbd54d2d6d77d88d1221c9628bd14512ba
              • Instruction Fuzzy Hash: F811537180030D9FDB10DFAAC845BDEBBF5AF88320F20881AE519A7250CB75A900DFA0
              Function 0748DDD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 260 748ddd0-748de3f ResumeThread 263 748de48-748de6d 260->263 264 748de41-748de47 260->264 264->263
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 1b7b423e62a2b106c052979aa17858c372d26b3e9f7d8ef53dd06e0e99499920
              • Instruction ID: 8b7c64283a9c7c1bb46a8f6cd849844c4898603705193f37341ca91c4b8fbaa4
              • Opcode Fuzzy Hash: 1b7b423e62a2b106c052979aa17858c372d26b3e9f7d8ef53dd06e0e99499920
              • Instruction Fuzzy Hash: 6B113AB1D007498FDB14DFAAC4457EFFBF5AF88620F24841AD519A7240CB75A944CF90
              Function 0147BA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 268 147ba60-147baa0 269 147baa2-147baa5 268->269 270 147baa8-147bad3 GetModuleHandleW 268->270 269->270 271 147bad5-147badb 270->271 272 147badc-147baf0 270->272 271->272
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0147BAC6
              Memory Dump Source
              • Source File: 00000000.00000002.1430111785.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1470000_PO#86637.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 16f5d14cab8cf6f9960952f6251ed97ad5df8f5f21cccc62865a850617408576
              • Instruction ID: dae49687ddbba667794e49a5ab6459ed8b9865ad6b47811af20270036bdd5970
              • Opcode Fuzzy Hash: 16f5d14cab8cf6f9960952f6251ed97ad5df8f5f21cccc62865a850617408576
              • Instruction Fuzzy Hash: F111E0B5C003498FDB24EF9AD444BDEFBF4EF88220F14841AD519A7650D379A545CFA1
              Function 05A9F6F9 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 274 5a9f6f9-5a9f72d 275 5a9f72f 274->275 276 5a9f734-5a9f755 274->276 275->276 278 5a9f758-5a9f75e 276->278 279 5a9f760 278->279 280 5a9f767-5a9f768 278->280 279->280 281 5a9f76a-5a9f77f 279->281 282 5a9f83a-5a9f86a 279->282 280->281 318 5a9f782 call 748f888 281->318 319 5a9f782 call 748f879 281->319 282->278 288 5a9f870-5a9f876 282->288 287 5a9f787-5a9f794 324 5a9f797 call 5a9fb58 287->324 325 5a9f797 call 5a9fbca 287->325 326 5a9f797 call 5a9fb4a 287->326 288->278 291 5a9f79d-5a9f838 322 5a9f7ce call 5a9fc1f 291->322 323 5a9f7ce call 5a9fc20 291->323 300 5a9f7d4-5a9f95d 320 5a9f960 call 5a9fd30 300->320 321 5a9f960 call 5a9fd40 300->321 315 5a9f966-5a9f969 316 5a9f972 315->316 317 5a9f973 316->317 317->317 318->287 319->287 320->315 321->315 322->300 323->300 324->291 325->291 326->291
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: MVN
              • API String ID: 0-2226256116
              • Opcode ID: 080797261517dab29092e4a6f2374e23d9dc31dbb7b5084421a4e6cb9dd87bcd
              • Instruction ID: 2f37855891ddea94f1978e2835ab77cd6731d517f26ee7dae1e05bd900b2d677
              • Opcode Fuzzy Hash: 080797261517dab29092e4a6f2374e23d9dc31dbb7b5084421a4e6cb9dd87bcd
              • Instruction Fuzzy Hash: 9171C2B4E11218DFDF08DFA5D894AADBBB6FF89301F20812AE816A7754DB305842CF51
              Function 05A9F708 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: MVN
              • API String ID: 0-2226256116
              • Opcode ID: e147bc7f79183328bc33938bac45fea73eff68d2eee893516021e7f8dd458345
              • Instruction ID: 8afcb319ff237cafbc07a9ce176373f981f5380792bb2c8aad9d8c0bf1a6f536
              • Opcode Fuzzy Hash: e147bc7f79183328bc33938bac45fea73eff68d2eee893516021e7f8dd458345
              • Instruction Fuzzy Hash: EF71A2B4E1521CDFDF09DFA5D8949ADBBB6FB89301F20812AE416A7354DB305842CF51
              Function 05A9B8A7 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: m
              • API String ID: 0-3775001192
              • Opcode ID: dcf75c8644ce8751027230fc075030ae94d2136e699147b8be408c3f242b7ece
              • Instruction ID: 4a07c07cef61c19dbdde38ff833d51d0deeb1d3c94100fd110825ef915acdc07
              • Opcode Fuzzy Hash: dcf75c8644ce8751027230fc075030ae94d2136e699147b8be408c3f242b7ece
              • Instruction Fuzzy Hash: BA210332A053594FDB15DB389C95AEFBFF2FFC1260B14456AD458CB241DF34890A87A1
              Function 05A96290 Relevance: .7, Instructions: 727COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9adfc20198c8890d80c5c932743e915d4dd6410c0480e6060e6c5612d5765b38
              • Instruction ID: fb8774c8bb509148b8f7a50ad682c59441b766dc2f256c314c853fcdc01692cc
              • Opcode Fuzzy Hash: 9adfc20198c8890d80c5c932743e915d4dd6410c0480e6060e6c5612d5765b38
              • Instruction Fuzzy Hash: 12724131910619CFCF14EF68C899A9DBBB1FF45305F018299E54AAB265EF30A9C5CF90
              Function 05A97780 Relevance: .5, Instructions: 500COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27b53c941005dfd8af300347e094b4ebd6a71fbabd0ac2526142265278b3dd11
              • Instruction ID: 548a301c177728bc00c524f7317c4a81e4a72f06dc5df995f8de0adb53bc4a2b
              • Opcode Fuzzy Hash: 27b53c941005dfd8af300347e094b4ebd6a71fbabd0ac2526142265278b3dd11
              • Instruction Fuzzy Hash: E722F834A10215CFCB18DF68C894BADBBF2FF89304F5485A9D41AAB365DB30AD45CB60
              Function 05A9AD80 Relevance: .2, Instructions: 183COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d315f1aeae68a837b40c48376fef13ac7ff995420dd8f6c163ef0dcab2feccf8
              • Instruction ID: 7ae92d6f7e437e097a8b3b7d2f1a8a56e02f1e52536ab3c76845c3906ad5a649
              • Opcode Fuzzy Hash: d315f1aeae68a837b40c48376fef13ac7ff995420dd8f6c163ef0dcab2feccf8
              • Instruction Fuzzy Hash: 24715F31E006298FDF18DFA9C458AADBBF6FF88301F14856EE416A7350EB349945CB90
              Function 05A9777A Relevance: .2, Instructions: 162COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea9204a7eaec397746f79a5d2a6a5d34feb131aeeef0b0bffe70c4f10d7d9a00
              • Instruction ID: 0be26074521012f41af73f36cd0619284cb056daac6a429cf403af695dea1bce
              • Opcode Fuzzy Hash: ea9204a7eaec397746f79a5d2a6a5d34feb131aeeef0b0bffe70c4f10d7d9a00
              • Instruction Fuzzy Hash: AF5169307106108FDB18EF69C898B9D77F2FF8A214F5486B8D9169B3A1DB70AC04CB61
              Function 05A98C84 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d771abf2ec6ff8664ac0baa6bf22183b172fa8c2edbdb0c231a85cb2f745c5dd
              • Instruction ID: 97e9839a7008da308951c92ecb28acf9c9f425c03b1449db0581129ef5bec312
              • Opcode Fuzzy Hash: d771abf2ec6ff8664ac0baa6bf22183b172fa8c2edbdb0c231a85cb2f745c5dd
              • Instruction Fuzzy Hash: 31516235B1021A8FDB15DBB9E85897EBBF6FFC4220B148529E419D7350DF3098058761
              Function 05A9F32A Relevance: .1, Instructions: 144COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62762ac5dacf5aa4fb76fb0ace3b2efdce3f75bbf87e9d0c342b00128b470066
              • Instruction ID: 0027cf7c7aebfde3720337fb1459179900e6acc3e56657f2f29e20385830bb2a
              • Opcode Fuzzy Hash: 62762ac5dacf5aa4fb76fb0ace3b2efdce3f75bbf87e9d0c342b00128b470066
              • Instruction Fuzzy Hash: 2951E274A552189FEB14CFA4E895FADBBFAFB49301F204059E909AB381CB706D42CF54
              Function 05A9A4B8 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c2f070d2ae6b112a72187c2f90f8a5f6a96711e3331f867b78adc29fafa3e2c
              • Instruction ID: 8bac83edb7939dd5328d098968846fb3f65873b6732764a6bdb94d295efe3102
              • Opcode Fuzzy Hash: 4c2f070d2ae6b112a72187c2f90f8a5f6a96711e3331f867b78adc29fafa3e2c
              • Instruction Fuzzy Hash: EC3102353006218FCB28DF2AC4C4D6AB7F6BB88721765855AE956CB760DB35E8428B50
              Function 05A98C34 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28256eef0a24bd49b3e07ad4c5407dd2db1d7c26ee74c73f0a09dfcab9e54a71
              • Instruction ID: fef61c285a3be4f37953ea993d770a8d2dd9edbbd76fed46e14f6f26559a0798
              • Opcode Fuzzy Hash: 28256eef0a24bd49b3e07ad4c5407dd2db1d7c26ee74c73f0a09dfcab9e54a71
              • Instruction Fuzzy Hash: BF31E0343006218FCB28EF2AC4C4D6ABBF6FF88711765856AE956CB761DB31EC418B50
              Function 0130D06C Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429564117.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_130d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21e7d1076814c455d5aaa1463f79a715fd34d8b69693ddd8fbdd19cb7a50034a
              • Instruction ID: 37c1c810230ec803fc9c6ef684bca4511b8b1bdb3d16f53d4c19e59fefa1e822
              • Opcode Fuzzy Hash: 21e7d1076814c455d5aaa1463f79a715fd34d8b69693ddd8fbdd19cb7a50034a
              • Instruction Fuzzy Hash: 6E212771104204DFDB0ADF94D8C4B16BBE6FB88318F20C159E9090A686C73AC416CB61
              Function 05A98C24 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 970e673cfe8b8b9ae1a8e0176df201e3c0c9b28067b8c20e0e6fd4b970f7aa50
              • Instruction ID: 6728bb51c1d3e2336c9e3caf617083b16b453c05db829c48c67f98aa9dff1520
              • Opcode Fuzzy Hash: 970e673cfe8b8b9ae1a8e0176df201e3c0c9b28067b8c20e0e6fd4b970f7aa50
              • Instruction Fuzzy Hash: 15214C35700220AFCB289F1AD480E6BB3FAFB88621B11442EE51687B50C731EC41CB55
              Function 0131D2F0 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429722879.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_131d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 468bf2a01fbd7af377d136ebbed07ac7227c8a04ab6ab5a89a4a30773317be34
              • Instruction ID: 4d1f39b74ad7ba3e0d190a9c60f3bd7f79dc2ba6714ffff05aa23622b8e3ac44
              • Opcode Fuzzy Hash: 468bf2a01fbd7af377d136ebbed07ac7227c8a04ab6ab5a89a4a30773317be34
              • Instruction Fuzzy Hash: 932138B5604304DFDB09DF98D9C8B26BB65FB85718F20CA6DD84A4B34AC33AD446CB61
              Function 0131D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429722879.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_131d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d7530286bdedcd5838809ce54749548f32292276c4614fbfb5618b6c24db629
              • Instruction ID: 7066cce12a30ac8ffb155ed34ad0f37a813b167aff6dea0bc2092dd40eb734e3
              • Opcode Fuzzy Hash: 2d7530286bdedcd5838809ce54749548f32292276c4614fbfb5618b6c24db629
              • Instruction Fuzzy Hash: EF212275604304DFDB19DF54D888B16BB65FB85318F20C56DD80A0B78AC33AD447CA62
              Function 05A96DD0 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a72be8bb9ceb7ec3684b22cb3606a0f4f1b97d69881e1a5af88a07f8b8ccf6e5
              • Instruction ID: 944e7a3f9d82ce80dae5f644ec0f5afa80b0c46da448619f71a2800a234c17b9
              • Opcode Fuzzy Hash: a72be8bb9ceb7ec3684b22cb3606a0f4f1b97d69881e1a5af88a07f8b8ccf6e5
              • Instruction Fuzzy Hash: 5A215035A106199FCB10EF6DD84099DFBF5FF59311B50C26AE958A7200EB30E998CB91
              Function 05A98DC8 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 048da5602fc5020a5251f07b92e51debb9fed5c8c0b359d79be41c67629223b7
              • Instruction ID: 00f46bdb52f49d0aa152aacc67da4387ec9f96f80d63a36503e0fb186a61ad9c
              • Opcode Fuzzy Hash: 048da5602fc5020a5251f07b92e51debb9fed5c8c0b359d79be41c67629223b7
              • Instruction Fuzzy Hash: 6831EEB0D0531CDFDF24DF9AD988B8EBBF5BB48710F20801AE408AB284C7B55845CBA5
              Function 05A98C18 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e59af3a7e8e272a8c96773bba5e7daa17b0171303ba3aea95c5b86042820018b
              • Instruction ID: 16bf43580b9de420e75953dc9542e96a6e83513b7ef561421a047e1094141989
              • Opcode Fuzzy Hash: e59af3a7e8e272a8c96773bba5e7daa17b0171303ba3aea95c5b86042820018b
              • Instruction Fuzzy Hash: E5214935600320AFCB28DF1AC480E6B77FABF88621B11445EE96687B61D731E841CB65
              Function 05A9BA94 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a386c0c53209364a4ec881eb4134f72245544c854604246f396e547d172491d6
              • Instruction ID: 9fe00e0c2ccad7d26391cffb783963e14853d7523c145265eebf74048e12a4ac
              • Opcode Fuzzy Hash: a386c0c53209364a4ec881eb4134f72245544c854604246f396e547d172491d6
              • Instruction Fuzzy Hash: 8B31DFB1C01318DFDF24DF99D989B8DBBF5BB08714F24801AE408BB294C7B55845CB60
              Function 05A99E51 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4625099c4c93d384e69a1a95b2c83ab2be224f9960e8da1a47739ec257f95c51
              • Instruction ID: a3d7178c9f7aea320ab59764775bd5ad8abd69ebab70e6eee819f30db56e9404
              • Opcode Fuzzy Hash: 4625099c4c93d384e69a1a95b2c83ab2be224f9960e8da1a47739ec257f95c51
              • Instruction Fuzzy Hash: D1112935700620AFCB28DF16D480E6BB7FABF98621F15442EE95687B61D732EC41CB51
              Function 05A9A418 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e2ae1eaeb273799db6f6727772c6f6eeea45a344fd48567f10cf5a5fb8f7cf9
              • Instruction ID: 6cd92c0840a37425f2d107f4c2e1b7e5c1e7b3cb2ca5b2f8f028258466cfd677
              • Opcode Fuzzy Hash: 9e2ae1eaeb273799db6f6727772c6f6eeea45a344fd48567f10cf5a5fb8f7cf9
              • Instruction Fuzzy Hash: B421EF75E0010A9FCB04DFA9C8449EFFBF9FF98210B10851AE524E7210E774A956CB90
              Function 05A98EA0 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d690b8e393c7d71c2ef28e981252c0d48ce3279dc7bb002098f67aa36b9c4784
              • Instruction ID: 8fb7b4bd4cccb71890ab23d7e0149a923d3cf5a88630925f2135419ac8f53560
              • Opcode Fuzzy Hash: d690b8e393c7d71c2ef28e981252c0d48ce3279dc7bb002098f67aa36b9c4784
              • Instruction Fuzzy Hash: CD215873900B5286EB119F59D840381B3A1FF95324F19877ACC4D7B346EB75B9858BA0
              Function 05A9A420 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 545c1d33be3db7095ca3952000e4821fde4dc6284ce579b7998b946b73bc1220
              • Instruction ID: e5c197c3a4bc5077a18ce5fbfc7632d9d4ec2e6abad71dc30d9ac6e2b2eee579
              • Opcode Fuzzy Hash: 545c1d33be3db7095ca3952000e4821fde4dc6284ce579b7998b946b73bc1220
              • Instruction Fuzzy Hash: 5C21FC71E0020A9FCF04DFADC8448AFFBF9FF98200B10851AE518E7210EB70A956CB90
              Function 05A9B408 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70a03306f678dc800863f4a7bc56282cd3d16f71941640531c8d7d61476b10f9
              • Instruction ID: 745fafe95f38a02905e508ab2a5b2d633a428f10634fd4892cf3b4442d50932d
              • Opcode Fuzzy Hash: 70a03306f678dc800863f4a7bc56282cd3d16f71941640531c8d7d61476b10f9
              • Instruction Fuzzy Hash: AB114F71B00229CBCB59EBA9A8509FEBBF2AFC5311B14403DC615E7345EB368D01DBA1
              Function 05A9F2A1 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 375cb407e350d6ca0feb03f0360d508d0d5b6cc58cdd7fb7d400734f401f003f
              • Instruction ID: ec09eac319969dc09c56486609c909381150e5c14c6d5da9ffb45cff4d0e2402
              • Opcode Fuzzy Hash: 375cb407e350d6ca0feb03f0360d508d0d5b6cc58cdd7fb7d400734f401f003f
              • Instruction Fuzzy Hash: 8F110AB4D15228DFDB19DFA5E984AADFBF6BF99300F14902AE419AB750DB305842CB01
              Function 0130D067 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429564117.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_130d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b414e8e77cef2b07f6af6975c8f9c9e06390c92f7d1f8eec5b2bf1e8e43ec353
              • Instruction ID: 85468355d44b9779bac8646100e466aa6fef3c601dd543d916e1982305b72709
              • Opcode Fuzzy Hash: b414e8e77cef2b07f6af6975c8f9c9e06390c92f7d1f8eec5b2bf1e8e43ec353
              • Instruction Fuzzy Hash: E321A276504284DFDB06CF94D9C4B16BFB2FB88318F24C6A9D9490B657C33AD426CB91
              Function 05A9D020 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 028ba166609653eb5423355a96352ee544a5f01af935516f0558304e5923e46b
              • Instruction ID: f8c7bbe19c27810b73f57013ac079073f51ce29893b4e095e1315805f1176fb4
              • Opcode Fuzzy Hash: 028ba166609653eb5423355a96352ee544a5f01af935516f0558304e5923e46b
              • Instruction Fuzzy Hash: CC11082060D3949FD70657B4C819759BFB1FF86201F1881EBD099C7A93DB3A8847C392
              Function 05A9F2B0 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2bc1a1bb3aa42ba1c002903bb78a257dfa45871e3485964beba46840f64fa3b8
              • Instruction ID: aeb8460002ced8657591229cdda461e81b7368884cdf79fc32132387e3f00327
              • Opcode Fuzzy Hash: 2bc1a1bb3aa42ba1c002903bb78a257dfa45871e3485964beba46840f64fa3b8
              • Instruction Fuzzy Hash: 5411CB74D15228DFDF18DFA6E884AADFBFABF99300F14902AA419A7350DB305842CB41
              Function 05A99528 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3e976da4d11452a52ba8e79539df4617e24f80e98903cc76e34c39867598d40
              • Instruction ID: 46fcf2f4ed27c6960b40abfd24bcceb19e2ed6915bec12e754c1add7f5b68968
              • Opcode Fuzzy Hash: a3e976da4d11452a52ba8e79539df4617e24f80e98903cc76e34c39867598d40
              • Instruction Fuzzy Hash: AD1148303043125FEB44A768C411BDB36D6AB95718F14C41FD0898F3C2CEFA684A47E1
              Function 05A98EB0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c51e65617a892b9fbc5957039b13ec5b587b08d27744b597ed3eadbe0bec402
              • Instruction ID: 5807ac26e39ce5b98de32b5cfdcac80f5772c77eefcb6eae1f1a58d39462e0e1
              • Opcode Fuzzy Hash: 9c51e65617a892b9fbc5957039b13ec5b587b08d27744b597ed3eadbe0bec402
              • Instruction Fuzzy Hash: AF116732D00B5286DB00AF6AD850281B3A5FF95324F19877ACC4D7F346EB71B98587A0
              Function 0131D017 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429722879.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_131d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
              • Instruction ID: 48fbf414a16eb9433fe8e602b04720fb3b8c1426afe76d8658f4761ba2ff9880
              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
              • Instruction Fuzzy Hash: C711BE79504280CFCB16CF58D5C4B15BB62FB45318F24C6A9D8494B65AC33AD44ACB62
              Function 0131D2EB Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429722879.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_131d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
              • Instruction ID: bd64a79a1d24d0418336f362f57afdf4bc595937f8c10ce27afb8288b12cb6b1
              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
              • Instruction Fuzzy Hash: 6711BE75504244CFCB0ACF58D5C4B15BB61FB45318F24CAAED8494B25AC33AD40ACB61
              Function 05A98BD4 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 957f0bd959bd7fce5a8db9b6c450d57088c7499ddeec0bb5b38dc3b4ded14702
              • Instruction ID: 314c49ed7b37753e2f48067ba7f78c4caaaf54be30b3940ec7173b8a7a52afed
              • Opcode Fuzzy Hash: 957f0bd959bd7fce5a8db9b6c450d57088c7499ddeec0bb5b38dc3b4ded14702
              • Instruction Fuzzy Hash: 1E11D2303003229BEB44A768D415B9B76D6AB94718F50C91ED18A8F7C2CEF6684647E1
              Function 05A9FD30 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bbf6e99ec9ce43b7b2a3a3f3e51707b6bc3741e6dcc0f1027d5bb143284a02d
              • Instruction ID: e8ae94bd8bc34a39af92134f015d931fa792f763fc5163462fb9d399e5654f4b
              • Opcode Fuzzy Hash: 1bbf6e99ec9ce43b7b2a3a3f3e51707b6bc3741e6dcc0f1027d5bb143284a02d
              • Instruction Fuzzy Hash: B011E13160D288DFCF1ACB68D58169C7FF0AF06219F2401DAD844CB292C3309A42DB91
              Function 05A98052 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 938636b9d791c1eb92a22b46778161e8fb22a7c7d7b4f2a80c7f560c338a513b
              • Instruction ID: f54dac3344b8679fad8aa03bb80ca1542ae4aecc48c5e9f921c3517bbd5c296c
              • Opcode Fuzzy Hash: 938636b9d791c1eb92a22b46778161e8fb22a7c7d7b4f2a80c7f560c338a513b
              • Instruction Fuzzy Hash: 450192317042118FDB18DB29E889E6A77EAFFC9214B24846EE41ACB364CF75EC02C750
              Function 05A9FDE0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dfa0ac17369bd8adcc9e2d637e602768f4b711846fcd93676103f7b9459ddd43
              • Instruction ID: c035669a700fff42792a19f572c8015feacfe800d3ee91be8235a45c8ff8b54b
              • Opcode Fuzzy Hash: dfa0ac17369bd8adcc9e2d637e602768f4b711846fcd93676103f7b9459ddd43
              • Instruction Fuzzy Hash: 9211F8B4E08259DFCF09CFA9D4855ADBFB5FF49211F2091A9D819A7351EB344A42CB40
              Function 05A9FDF0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f38697770424057af702e50a727ec62f6c6c908f131fc45b48c958a1eb20b3e
              • Instruction ID: daefe35458bba1237c8d1957a806685ad6951070d8746f0498ebe7996156c864
              • Opcode Fuzzy Hash: 2f38697770424057af702e50a727ec62f6c6c908f131fc45b48c958a1eb20b3e
              • Instruction Fuzzy Hash: 0911A2B4E0421DDFCF44DFA9D9456AEBBF5BB48201F20916AD819E3311EB345A42CF90
              Function 05A9AD70 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4badfcdc25b8629ed58287bc72d7081efc23b204038998fcc71247dd381cb09
              • Instruction ID: 817b346fdf66cd9050259768f2100587fdf408f2a76b3835018442f2fae54c2c
              • Opcode Fuzzy Hash: d4badfcdc25b8629ed58287bc72d7081efc23b204038998fcc71247dd381cb09
              • Instruction Fuzzy Hash: 94018F357002148FDB18DF69D859AAEBBF9FF89350B10407EE911D7351DB34A804CA90
              Function 05A98060 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ffda4b4214bf656fe7c6dabdfb2551fd7f04c377afbdefacc964436b089db55a
              • Instruction ID: d6f304f82645b6531c96a65035bc8423cfd2834baa3491f365c00157dd6bad41
              • Opcode Fuzzy Hash: ffda4b4214bf656fe7c6dabdfb2551fd7f04c377afbdefacc964436b089db55a
              • Instruction Fuzzy Hash: 100121347042118FDB18DF69E488D6ABBEAFFC9615714846DE41A8B365CF71EC05C750
              Function 05A9F318 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3404bdac3b189ca0a48094957bde263c69e602c2e53b76391ce85eeb8f82499f
              • Instruction ID: 8e3f73f5ed32a435568ebc6842d639833380a28f7f9cd0acbf91f1d018a65248
              • Opcode Fuzzy Hash: 3404bdac3b189ca0a48094957bde263c69e602c2e53b76391ce85eeb8f82499f
              • Instruction Fuzzy Hash: D601D734A452289FDF14CB60D851FADBBBAFB49300F105094E519A7381CB706D81CF54
              Function 0130D92D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429564117.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_130d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66e78c4b9fee66222151755c74568d08c294a3d66d0c88e026d4773ea4411d60
              • Instruction ID: 0ff6621036b91957b2e7fb7ce3f8cd89e97ce8be390089228a034b4026903628
              • Opcode Fuzzy Hash: 66e78c4b9fee66222151755c74568d08c294a3d66d0c88e026d4773ea4411d60
              • Instruction Fuzzy Hash: 4301A2710043489BE7124FA9CC84B67FFD9EF81629F18C45AED494A6C6C3789840CB72
              Function 05A9ABE0 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5485a38b8a968c85540f2bd758d98a8dab245175c4e317383daa9e077af0377
              • Instruction ID: 531b7f41e649c23913848ad8029e619aa64f81bfd0fd3455279486eafbdda06a
              • Opcode Fuzzy Hash: e5485a38b8a968c85540f2bd758d98a8dab245175c4e317383daa9e077af0377
              • Instruction Fuzzy Hash: 8A0184303087108FCB19D759D850D2677EAFF81226B18C5ABD9468F265DB74EC02CB95
              Function 05A9ABF0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4681ca23640ead2b2a6805db69e6a51a381933ddb07adac28a4c00df2c724c42
              • Instruction ID: 0c38aec86034811a300e726c2184b07e2e8e103cc7264447099a3a5d770bfbc5
              • Opcode Fuzzy Hash: 4681ca23640ead2b2a6805db69e6a51a381933ddb07adac28a4c00df2c724c42
              • Instruction Fuzzy Hash: 78016D303147218FCB18DBADD440D26B3EABFC5225B24C56BD91A8B264DB71EC02CB94
              Function 05A9BEF0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a7e32e0d434e506110b735d7568fa2059a535263f6c6ae7d05c8451704a58ad
              • Instruction ID: 5709c5ca757eb471ba204ca7972542a5d425cda1b9b5622b4d434454708406ef
              • Opcode Fuzzy Hash: 5a7e32e0d434e506110b735d7568fa2059a535263f6c6ae7d05c8451704a58ad
              • Instruction Fuzzy Hash: D6F01C777002186FE304966EEC95EABBBEDEBC8674B65807AE508D7350DD359C0286A0
              Function 05A9BE54 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b6724a6ef501f81f9cd7f4e9a5e7b1b359176c2de077099d1a02a5c61406c7
              • Instruction ID: 4476df50b28d3752b94f1a0c7143aacf512e282b4c857e4557c615170210bd56
              • Opcode Fuzzy Hash: f1b6724a6ef501f81f9cd7f4e9a5e7b1b359176c2de077099d1a02a5c61406c7
              • Instruction Fuzzy Hash: BF012C71C0422DDFEF18CFA9D4087ADBBF5BF04324F24851DE525AA290D7784A80CBA0
              Function 0130D92C Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1429564117.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_130d000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 653586efff60666bd13d4dcdff2a0dcdb20aa5f3be89daf81a5e0b7ac4e0f39a
              • Instruction ID: c18c16f5ddb6224fa186f3f8aaffc2a043a8779a240086631c27a62c49d44dfd
              • Opcode Fuzzy Hash: 653586efff60666bd13d4dcdff2a0dcdb20aa5f3be89daf81a5e0b7ac4e0f39a
              • Instruction Fuzzy Hash: C8F06D71404348AFE7118B5AC884B66FFD8EB41638F28C45AED494A2C7C279A844CAB1
              Function 05A9BE60 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 25527e21822000e5db050125fa25b215a662f34b5b95943b22a025e651cdbd70
              • Instruction ID: 3c050b52fe107e6daa3ba3f024897dbd4d7ffe8134dfdb4ac899d12cd21ed7f1
              • Opcode Fuzzy Hash: 25527e21822000e5db050125fa25b215a662f34b5b95943b22a025e651cdbd70
              • Instruction Fuzzy Hash: 0001AC7080462DDFDF14DF59D4047AEBAF5BF44354F148529E525AA190D7744A44CBE0
              Function 05A9BF00 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2e3d34182b1ffc71f86353707d07abe6163dde52b9c502aa1ee64fc47ea4cc3
              • Instruction ID: 22389884b6448a1283dc0e592aa58071d00c04e50f298ab6b20f755021114832
              • Opcode Fuzzy Hash: b2e3d34182b1ffc71f86353707d07abe6163dde52b9c502aa1ee64fc47ea4cc3
              • Instruction Fuzzy Hash: 4AE06D767002286F9304DAAEDC84D6BBBEDFBCC674311807AF508C7310D9319C01C6A0
              Function 05A99630 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aeae3def48cb8919af96371d40554c3b6d77167162051304800b034e75725c13
              • Instruction ID: 1f760f5e4b5958d5dd606aa67fad338fc9b69d3ac16e5991c758d6784e58b5ca
              • Opcode Fuzzy Hash: aeae3def48cb8919af96371d40554c3b6d77167162051304800b034e75725c13
              • Instruction Fuzzy Hash: 25F0F8B16147549F9F18DF19D482D967BE6FB44358720095EE52ACF302D772E8038B85
              Function 05A9F610 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5e30911ac99741a42bf23407370ce49c39d598974365dae4bc993d9336b61e9
              • Instruction ID: c43c8c5b1f4b21b1091dca95658f446f2ba55aeb1f63a7d0f75d2f4fc2270777
              • Opcode Fuzzy Hash: f5e30911ac99741a42bf23407370ce49c39d598974365dae4bc993d9336b61e9
              • Instruction Fuzzy Hash: FFF0ED365492C8DFC716CF64D9815AC3FB0EB07214B1801CAD8A887362C7360F46DB52
              Function 05A9FBCA Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7883deee4831442b80a327e6620af4678ee0a5e802a033368df62dc480ab489
              • Instruction ID: c5480371f34bdbe437d36127a680138728ec2f32facfbf09030311a171e8c34a
              • Opcode Fuzzy Hash: d7883deee4831442b80a327e6620af4678ee0a5e802a033368df62dc480ab489
              • Instruction Fuzzy Hash: FCF0DA75A00248EFCB15CFA8D58599DBBF1EF09325F2081D9E81897760D731AA91DB81
              Function 05A9FB4A Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a3feeeb248f00c075d8a2a11746016f752c21341d1144f2e8bb42496fc83aa0
              • Instruction ID: 80baa7b9a417b2bad91524a59da9557e18156cae7b986ad08b1cfb9ec2cfefc7
              • Opcode Fuzzy Hash: 2a3feeeb248f00c075d8a2a11746016f752c21341d1144f2e8bb42496fc83aa0
              • Instruction Fuzzy Hash: F5F0E231504395CFCB26CF28E481958BFF0EF0A225B2402CAE898DB3A2CB315D05CB42
              Function 05A9F590 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 332e8c74b074d2815ea67a34e82ee5d01e82c93a0beec1f6c842c2537bcfec44
              • Instruction ID: 6ea3edb68477599893320eea81e91812aeb563a6269fe7ab83e70233793d60c8
              • Opcode Fuzzy Hash: 332e8c74b074d2815ea67a34e82ee5d01e82c93a0beec1f6c842c2537bcfec44
              • Instruction Fuzzy Hash: 86E04F7190A288DFCB51CBB8DB9629C7BF0EF06205F2504E6E445C3651D2304E56DB12
              Function 05A99622 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ecd7d24a07ef35e54317089c72a5825b343e47f2842d7bfce2fab2b0b55da064
              • Instruction ID: 1f0308b0fffcc91586329b2dd14034b03b8f0054acacce4b231d28f8b59fd8c3
              • Opcode Fuzzy Hash: ecd7d24a07ef35e54317089c72a5825b343e47f2842d7bfce2fab2b0b55da064
              • Instruction Fuzzy Hash: 9EE0DF73604360AFCF18DA09D843B967BEAFB84254F24092EF50ACF300DB65E80287C6
              Function 05A994EA Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abcdf00704f255bcd383cf41e96d093b40decbc692fa735a1c27d30a8c4df4f6
              • Instruction ID: bbb2b28f7d88cd28b032afc66f42c8850bca082905720d7861cdfb7a1d10d511
              • Opcode Fuzzy Hash: abcdf00704f255bcd383cf41e96d093b40decbc692fa735a1c27d30a8c4df4f6
              • Instruction Fuzzy Hash: B4E0C23234021417E70C2649D412BCB77DA8B893A0F18803FE50D8F7C0DDA998020295
              Function 05A9D5BD Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa795be7997e38bafbba2c03d51a96ee3ab46792ca12f24c14756fb7551e6678
              • Instruction ID: 40f1cc32971527a574114442878c8b07e78c9fd23eb0fc692c411b58d435db72
              • Opcode Fuzzy Hash: fa795be7997e38bafbba2c03d51a96ee3ab46792ca12f24c14756fb7551e6678
              • Instruction Fuzzy Hash: 6AE0C970904228CFDB14DBA9D850B9EB7B2BB89600F1090AAD006A7254D73459418F61
              Function 05A9AD37 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ac721081bc54d13afa401d07d566ba1897d159adaea244ecbf77b8d88945753
              • Instruction ID: 1afcafd30065308a7c365ecf9ff6959d434d14f9f1c979acdc93e175d28ca670
              • Opcode Fuzzy Hash: 9ac721081bc54d13afa401d07d566ba1897d159adaea244ecbf77b8d88945753
              • Instruction Fuzzy Hash: 52D05EB35681004FE348FA79AC4F3CA7BEAABA4750F9C843AD444C1645E93D815D8612
              Function 05A9FC20 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4bbe095782a716f7dfe6171f858123dcf49cd0d9972600cbf5e96b3f50494f06
              • Instruction ID: 74b86df5436d75e22031e63df0e0967e3cb5f20fac89b4ac5fa5bccadf0f3226
              • Opcode Fuzzy Hash: 4bbe095782a716f7dfe6171f858123dcf49cd0d9972600cbf5e96b3f50494f06
              • Instruction Fuzzy Hash: ADD05B70C5D11CEFCB09DBA8D5459BE7BFDE746301F5081949C0953240CA701D56D7D1
              Function 05A994F8 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 06f388f409a562f1a6d4f525a4ef098dda4d6c809f9a0886a83a749a658d2a6d
              • Instruction ID: d3d988b93fe80a17e5f58cc651932f79ece80fd73ee3bb44d99366730631a01b
              • Opcode Fuzzy Hash: 06f388f409a562f1a6d4f525a4ef098dda4d6c809f9a0886a83a749a658d2a6d
              • Instruction Fuzzy Hash: 5AD05E713042241BC70D67499010BDB76CA8FC9650F19806FE5098F790D9B59C0103D5
              Function 05A9FC1F Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96c1b4b21aad057c89a7c75b0c10fdc75629886221341efe9ba57eb70aa2de4a
              • Instruction ID: ff577fa276f237e4ba3e25b383ac3cbbad6390a6fabd1c355fc1f52790d2828c
              • Opcode Fuzzy Hash: 96c1b4b21aad057c89a7c75b0c10fdc75629886221341efe9ba57eb70aa2de4a
              • Instruction Fuzzy Hash: 31D05E709AD05CABCB1ED7A8D646ABE3BF99747215F1481849C1D832928A720D43C681
              Function 05A9F620 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5306633702f393955a15ee969a65782f55cf2f063fbb879530bb4d1b34eb75b
              • Instruction ID: b8197129a60492c3db82dafe6940afe5516a5d58779b76ccbf7c6192a0856b8b
              • Opcode Fuzzy Hash: c5306633702f393955a15ee969a65782f55cf2f063fbb879530bb4d1b34eb75b
              • Instruction Fuzzy Hash: 1FD02B30C0534CEFCB08EFA4E4405AD7B79EB02311F5000ACC80413310CB310941DF80
              Function 05A9AB30 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f3c2e89b71f9a1ce201304edd4b8e0f6abc2383581cb94b94af2ef37630ef31
              • Instruction ID: 2f3bdad1bd6273ce6d58d3476037008861aef43d42115a196aba3264665ed901
              • Opcode Fuzzy Hash: 2f3c2e89b71f9a1ce201304edd4b8e0f6abc2383581cb94b94af2ef37630ef31
              • Instruction Fuzzy Hash: 37D0A73B244204BFE640DA90D842F6173E9D754320F609015F6088A280C63DE853D760
              Function 05A9FB58 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ddf3360ae95c038658ae73ff1027c72740b1be0926261812962e33e9dc60dd1
              • Instruction ID: 4499ac3a14ad038b6f093206177e2a01a1b457c8e97962af7548c682787f3b2e
              • Opcode Fuzzy Hash: 3ddf3360ae95c038658ae73ff1027c72740b1be0926261812962e33e9dc60dd1
              • Instruction Fuzzy Hash: A6E0EC74D10218EFCB44DFB8D585A5CBBF4EB09211F2041E9E909D7360E6309E44DB41
              Function 05A98C58 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1950e6fa61a4794f84e61e5de057f570c795265d9aea2fe71cc42d348e7bdd03
              • Instruction ID: a239218029bf34a98d47ee244cadc9ee7bf8997a891e3eb3e2ecd2c790ef0722
              • Opcode Fuzzy Hash: 1950e6fa61a4794f84e61e5de057f570c795265d9aea2fe71cc42d348e7bdd03
              • Instruction Fuzzy Hash: 0AD0A777409325AFDF0AE750D861E597FB53E96F017484C93E045C5021DA24C45C876B
              Function 05A9FD40 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7daac14d5adbeb2dfcdcbacc18da139fefa93a69e9070f85b25a39b40776eb39
              • Instruction ID: 1289135ca50c542409058697f2ce8238f3f654420501df57661e699a9f7d5cf2
              • Opcode Fuzzy Hash: 7daac14d5adbeb2dfcdcbacc18da139fefa93a69e9070f85b25a39b40776eb39
              • Instruction Fuzzy Hash: A8D01770D1024CEFCB44EFB8D98569CBBF4EB04206F2000E99808D3250EA305A81DB91
              Function 05A99E20 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1e3099e079036319c0efd9238dd9a6842cc80dea0778935fd87eb1817cce397
              • Instruction ID: e451eba833b5e18291caf9a08b35bd0020df4618b64a718df139b4c376cbdae1
              • Opcode Fuzzy Hash: b1e3099e079036319c0efd9238dd9a6842cc80dea0778935fd87eb1817cce397
              • Instruction Fuzzy Hash: ABD0C93714410877DB567E81ED02F89BFADEB45364F288015F6084D292D67BE5639BD0
              Function 05A9FDA8 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14f011c61910f5eff88f0a853b16e53c1414e3e25879919bd5a8b83d785767a3
              • Instruction ID: 02a893a8a3edcf3f7a417da2a5365a2546a34d53fe986dea22b46d3c525b515c
              • Opcode Fuzzy Hash: 14f011c61910f5eff88f0a853b16e53c1414e3e25879919bd5a8b83d785767a3
              • Instruction Fuzzy Hash: D3D05E72C01019D7CB18EF94D6E5BB87320EF82209F24019D84195B184DF710D6ED750
              Function 05A9F37E Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e162cb6d4701be2afd0c237f8ee909c278f247835076a8ecc7923a02ddf5ac9
              • Instruction ID: bd7de09dfe2b2ff7523047d3eab574b459421616cf3b1b216b2c68873c9043c5
              • Opcode Fuzzy Hash: 8e162cb6d4701be2afd0c237f8ee909c278f247835076a8ecc7923a02ddf5ac9
              • Instruction Fuzzy Hash: 1FD0A73184965D8ACF05D774C8C45EDBBF9BB16320F4C57659038D9A91C26050408700
              Function 05A9F5A8 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0473c5422228712e668305cfeb768a08b04df6b0611a865a68dd02491bbaaa93
              • Instruction ID: 819f6c4455577444deff8c3e75a6bba097ea032bf245903e5ce2cd57fc40a776
              • Opcode Fuzzy Hash: 0473c5422228712e668305cfeb768a08b04df6b0611a865a68dd02491bbaaa93
              • Instruction Fuzzy Hash: 2CD0C9B2D1525CEFCB50DFE9DA4975DBBF8EB09212F2040A5E80AD3640EA715A40EB61
              Function 05A9FDB8 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16fdc156ac1e0c4a01df7acf0f1e2ef7adb6ac7bbb71f59168e22430c97a8c4b
              • Instruction ID: 84348f0ad6f22e2cb1dad964d898a369e3439949fade2dafb3105d9d4b3bb88a
              • Opcode Fuzzy Hash: 16fdc156ac1e0c4a01df7acf0f1e2ef7adb6ac7bbb71f59168e22430c97a8c4b
              • Instruction Fuzzy Hash: 76C0127081520CEBC714EB94D951B6D776CDB42115F500199D40453250DA711D40D7A1
              Function 05A9D0A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74a3188b088126635588e33bf26b8d6d0de9d1144932d80b968f4cf7d5387840
              • Instruction ID: 37ed15cf0cd90b7ead081fb1b13b4cf064571029b42416afcd878679ec500017
              • Opcode Fuzzy Hash: 74a3188b088126635588e33bf26b8d6d0de9d1144932d80b968f4cf7d5387840
              • Instruction Fuzzy Hash: 99C0127155531C9FCB50DFB5980971A7AB8E706112F404095A40AC3100DA750441DBA6
              Function 05A9D555 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccb288567945e1ba37d786ff81f1d6c44ffd89bc9b6fbffcdeaaa4cd40bf0fc0
              • Instruction ID: 32e6fc92334b925e4e027cccfd5e832c66f203929bd767c6f2517464826c2fda
              • Opcode Fuzzy Hash: ccb288567945e1ba37d786ff81f1d6c44ffd89bc9b6fbffcdeaaa4cd40bf0fc0
              • Instruction Fuzzy Hash: D2D0123491122A8FCB94DF65DD80B8CB7B1FF88201F109695D409A3228EB345989CF14
              Function 05A9F7AA Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 114b4ee445a53f091a3cfe0a1e66eaec2cba22fdfb3bb6858e6760876eb1f18e
              • Instruction ID: 45a9f7be4e9492c071bf262e1b1b407a5c9dd2af678fe69d6396e273c43b9586
              • Opcode Fuzzy Hash: 114b4ee445a53f091a3cfe0a1e66eaec2cba22fdfb3bb6858e6760876eb1f18e
              • Instruction Fuzzy Hash: 44C09B35A45018DBCF049BD4F4454FCBB7DEFC6133F401061F10DD3451972015558691
              Function 05A9AB40 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2492d6e2e2df4a365880e72eb70f6d55902aee66bac000484197d1efbbba23f
              • Instruction ID: 26393cad034faa18d6babca899559dc4aca5e528fdfaa2486fd281bcf1dc1fe8
              • Opcode Fuzzy Hash: a2492d6e2e2df4a365880e72eb70f6d55902aee66bac000484197d1efbbba23f
              • Instruction Fuzzy Hash: 84C08C36300208BFDB80AFD4C800D56B7ADEB08710F50E000FA080E241C272EC62DBA0
              Function 05A99E30 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7282bd47c7fc59473d99393943301e2e415b0767e717727f804e189d92327ef9
              • Instruction ID: bcd43eb96ac753e1ea2fcd12ce77c07e5bb171612ce31f20f77d098703905872
              • Opcode Fuzzy Hash: 7282bd47c7fc59473d99393943301e2e415b0767e717727f804e189d92327ef9
              • Instruction Fuzzy Hash: 1EC01232100108BBCB026A80C900E09BF6AAB05290F148004F7040D061D273D922ABC0
              Function 05A9B3CF Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9154720285fd448606ebb374e83b631afd19e0c3e6f1df1e31468c11456faded
              • Instruction ID: 31634315f52beaa6593edf2291edea2df61b07d792a385672aeac179eabb0990
              • Opcode Fuzzy Hash: 9154720285fd448606ebb374e83b631afd19e0c3e6f1df1e31468c11456faded
              • Instruction Fuzzy Hash: 94C08C37000000AFD704A700CD83F89B7F1FB11380F458061A04443060CA2EC01E9B42

              Non-executed Functions

              Function 07483918 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: '<"C$'<"C$NvTt
              • API String ID: 0-1787953242
              • Opcode ID: ca935323102788579c023c2a24cfa17ef89a8ec5ba8d43dc98ce9d502d41a3f7
              • Instruction ID: 21739922ecccb2ef49660c25968bd500e6556b365e2f577772a143d27c8513cc
              • Opcode Fuzzy Hash: ca935323102788579c023c2a24cfa17ef89a8ec5ba8d43dc98ce9d502d41a3f7
              • Instruction Fuzzy Hash: B05115B5E1520A9FCB48CFAAD8855EEFBF2EF89300F14942AE415A7354E7345A42CF50
              Function 07483928 Relevance: 3.9, Strings: 3, Instructions: 143COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: '<"C$'<"C$NvTt
              • API String ID: 0-1787953242
              • Opcode ID: 3f12eb8df777f22b2482b4a3ea8e800d97dcd7a437194a5b8f8e99ae9876602f
              • Instruction ID: 26ac4a0f5fc2311ae760501f58671780559307a9806db22814550ad093698053
              • Opcode Fuzzy Hash: 3f12eb8df777f22b2482b4a3ea8e800d97dcd7a437194a5b8f8e99ae9876602f
              • Instruction Fuzzy Hash: E351F5B5E1420EDFCB44DFAAD8855EEFBF2AF89310F10942AE415A7354D7345A428F50
              Function 07483250 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: sX
              • API String ID: 0-3110708420
              • Opcode ID: 7b9dbe93e75843d94b296e0171185ae6940aea778069250794235a0de6d9df28
              • Instruction ID: 3490560c2341d8cc85fc97e093e53af84ba463edd935cda33095c8c6bcb51cfa
              • Opcode Fuzzy Hash: 7b9dbe93e75843d94b296e0171185ae6940aea778069250794235a0de6d9df28
              • Instruction Fuzzy Hash: CF6103B4E15609CFCB48CFA9C9809DEFBF2FF89210F2494AAD415B7314D7349A428B64
              Function 07483260 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: sX
              • API String ID: 0-3110708420
              • Opcode ID: 24205e4b4231cb13ecd0993b6b2e5ab693eef51a5dbce9340f3e22e1c48db5f7
              • Instruction ID: bb7f0f339e2bf2b98ebcb270d249ff8d1c565a2298f9224023606e29bd9d0f0e
              • Opcode Fuzzy Hash: 24205e4b4231cb13ecd0993b6b2e5ab693eef51a5dbce9340f3e22e1c48db5f7
              • Instruction Fuzzy Hash: E261E0B0E15609DFDB44CFAAC9808DEFBF2FB89610F24946AD415B7314E7349A428B64
              Function 05A9E838 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: V3~
              • API String ID: 0-1917302123
              • Opcode ID: 13fb54598b1b1f446f4e0afabe9884ed344d8e521485c49ca1eb15bf5b9414b5
              • Instruction ID: ba8033f846c3eacdb96aba8df270cefeb0d831c2743a73f52b9f0dab090dd982
              • Opcode Fuzzy Hash: 13fb54598b1b1f446f4e0afabe9884ed344d8e521485c49ca1eb15bf5b9414b5
              • Instruction Fuzzy Hash: 67510870E052299FDB08CFA9C940AEEFBF6FB88300F14D56AE419B7255D73499428B64
              Function 05A9E848 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: V3~
              • API String ID: 0-1917302123
              • Opcode ID: b55289756ef73862d923a1882566a2254f4374d61222b4fe0e8f29adda7e4762
              • Instruction ID: f833734ade2688967065dfa04618fdf68d14648c6e4c8aa369eb982ce203341d
              • Opcode Fuzzy Hash: b55289756ef73862d923a1882566a2254f4374d61222b4fe0e8f29adda7e4762
              • Instruction Fuzzy Hash: 88511770E052299FDF08CFAAC940AEEFBF6FB88300F14D56AE419B7255D73489418B64
              Function 074830B0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: 4$VD
              • API String ID: 0-4229505421
              • Opcode ID: acfc624b30e1925e0ef76f1a29ad910fdaa35ca828e2754aefee5ef78f062103
              • Instruction ID: c3c7bf4e4bec5cbe83bda19f5e611de9550f6445b1e3f764dfe05fec6ae00dcf
              • Opcode Fuzzy Hash: acfc624b30e1925e0ef76f1a29ad910fdaa35ca828e2754aefee5ef78f062103
              • Instruction Fuzzy Hash: 924126B0E0460E9FCB44DFAAC9815EEFBF2EF89610F14D46AC415A7254D7349A42CFA1
              Function 074830C0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: 4$VD
              • API String ID: 0-4229505421
              • Opcode ID: 1780bd642161bea5d1bd3cb6100a61a9d61bea4fb8651ae1d68549335fffec64
              • Instruction ID: d8a2ff92f1e23d623f44efee99bcef82f72487f02d5225d33466e69012e0166d
              • Opcode Fuzzy Hash: 1780bd642161bea5d1bd3cb6100a61a9d61bea4fb8651ae1d68549335fffec64
              • Instruction Fuzzy Hash: BC41D6B0E0060EDBCB44DFAAC9815EEFBF2BF89600F14D52AC415A7254D7349A42CFA5
              Function 0748BD79 Relevance: .3, Instructions: 336COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca0b9ba726271c710d0c3b527d332e1055dec637c75aaf256268c3028698886a
              • Instruction ID: e811ce8b5cf0c748bebb81dfae4c6fdb739dc67aa774d4ccda7c3c61d4e36429
              • Opcode Fuzzy Hash: ca0b9ba726271c710d0c3b527d332e1055dec637c75aaf256268c3028698886a
              • Instruction Fuzzy Hash: 3EE1FBB4E002198FDB54DFA9C580AAEBBF2FF89305F24815AE418A7355D731AD42CF61
              Function 07485331 Relevance: .3, Instructions: 325COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ebfd726e0693b42370318b95af6528a1a1284d7a3f1ad78f22b9ebc35ed39af
              • Instruction ID: 5cf2f2e2385a658fb693a6b373c0c051093ad00b58dac85c8c7e412dc02b071a
              • Opcode Fuzzy Hash: 7ebfd726e0693b42370318b95af6528a1a1284d7a3f1ad78f22b9ebc35ed39af
              • Instruction Fuzzy Hash: CED115B0E54219DFCB48DFAAD9805DEFBF2BF89301F28952AD415AB224D7349942CF14
              Function 05A94D00 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c6ae6ae19c312664ef57bf1975acb362c33fda07c830e07416229a83c986589
              • Instruction ID: 6e28fe01386b15b1da717a12b896c8ca6b27ab66a8ae94fa4e2b60da5f3f3921
              • Opcode Fuzzy Hash: 5c6ae6ae19c312664ef57bf1975acb362c33fda07c830e07416229a83c986589
              • Instruction Fuzzy Hash: 1A12D6F84A47458BE350CF65E54A1893FABF745328F544309E2A15F2E1DFB8258ACF44
              Function 07485378 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c5e3436d5065f5dddb91f175cb4b3b2b821cd4e2c0133c34ef25d8d99e50705
              • Instruction ID: a3067c7d5f8cb9b2cb868c7c7e36bc46d048cbe57d597258680e4a50d7c96d07
              • Opcode Fuzzy Hash: 5c5e3436d5065f5dddb91f175cb4b3b2b821cd4e2c0133c34ef25d8d99e50705
              • Instruction Fuzzy Hash: 25D114B0E54219DFCB48DFAAD9805DEFBF2BF89301F28952AD415AB224D7349942CF14
              Function 07485388 Relevance: .3, Instructions: 313COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6177d52f7e47b22cbe1586b248d39c7afb20a443d733637b783ad23584bfa5a6
              • Instruction ID: 25dab969aea572e8136a79f5d13cf03e504f5e7cd85b19cfcfd220be3fd728b7
              • Opcode Fuzzy Hash: 6177d52f7e47b22cbe1586b248d39c7afb20a443d733637b783ad23584bfa5a6
              • Instruction Fuzzy Hash: 0CD114B0E64219DFCB48DFAAD9805DEFBF2FF89301F24952AD415AB224D73499428F14
              Function 0748E7C8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 510d3be462b12529f52b73a56449c09bc2c706c4e73f4947585aa01856f68c57
              • Instruction ID: 2a3941aba672c11280ae5deb7164bc0b3013b9410d9ef6000c397d761553d832
              • Opcode Fuzzy Hash: 510d3be462b12529f52b73a56449c09bc2c706c4e73f4947585aa01856f68c57
              • Instruction Fuzzy Hash: E0E1FCB4E002298FDB54DF99C5809AEBBF2FF89305F24815AE419AB355D731AD41CF60
              Function 0748E390 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d7285506b138fbd619432bc4485f755182f071c5b24d7d593f1443febe19722
              • Instruction ID: 2ff080741bdc4a1dbece25c90c521e04e0cf4e96671005512ca7aa909dafc789
              • Opcode Fuzzy Hash: 7d7285506b138fbd619432bc4485f755182f071c5b24d7d593f1443febe19722
              • Instruction Fuzzy Hash: 84E1DCB4E002298FDB54DF99C5809AEBBF2FF89305F24825AD418A7355D731AD41CF61
              Function 0748C1E0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60298deb1d8c1cbda7b31898650c31f68734320eed6976f39616e5028991e8a1
              • Instruction ID: b95e865ca86484e997c555151bdfdf1f681476ba94a33bb9316ec99d8bfecf5c
              • Opcode Fuzzy Hash: 60298deb1d8c1cbda7b31898650c31f68734320eed6976f39616e5028991e8a1
              • Instruction Fuzzy Hash: B8E1DBB4E002198FDB54EFA9C5809AEBBF2FF89305F24825AD418A7355D731AD42CF60
              Function 0748DE80 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b2dfd40a8704ee392fe82fb91cd01ad2de094165e667b7800483c7446b0b12e
              • Instruction ID: d0674b23f0330522bceb10a5da1da236838fa685f954d55ccb1bded6f4d6bfb8
              • Opcode Fuzzy Hash: 9b2dfd40a8704ee392fe82fb91cd01ad2de094165e667b7800483c7446b0b12e
              • Instruction Fuzzy Hash: 4CE1DBB4E002298FDB54EF99C5809AEBBF2FF89305F24815AE418A7355D731AD42CF61
              Function 07484E40 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae496f83d5c91c003060269d1ba8fbf66128edb83f3cef9ded2f948f968b5c06
              • Instruction ID: 93e7989bd09fa1ae41dcc6b71ec36dd94a9e62dced355237f5d87906465afb8b
              • Opcode Fuzzy Hash: ae496f83d5c91c003060269d1ba8fbf66128edb83f3cef9ded2f948f968b5c06
              • Instruction Fuzzy Hash: 62B107B1E1425EDFDB58DFEAD8805EEFBB2FF89200F10952AD415AB254DB3499028F00
              Function 07484E50 Relevance: .3, Instructions: 274COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ee117012f1076a27f5ec5b7adb0d6a962b02e9c7e385e4d3d9df9d6747d5986
              • Instruction ID: 45d842f76d13718d9af1add72e1522952b0205f2348da20a178c4a48a8e46e62
              • Opcode Fuzzy Hash: 8ee117012f1076a27f5ec5b7adb0d6a962b02e9c7e385e4d3d9df9d6747d5986
              • Instruction Fuzzy Hash: 15B1F5B1E1425EDFDB58DFEAD8805EEFBB2BF89200F10952AD415AB254DB349902CF00
              Function 05A9C468 Relevance: .3, Instructions: 271COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9ec29ebd863433c8aad9c3fa5cb6a19f9dc32e7ff37323572daad7b1b26cad0
              • Instruction ID: 726462359c2fdeac1fe3ee34df10589f1ae8e39c205ccd0c9e85ab63f4ef90a4
              • Opcode Fuzzy Hash: c9ec29ebd863433c8aad9c3fa5cb6a19f9dc32e7ff37323572daad7b1b26cad0
              • Instruction Fuzzy Hash: 2FD10634820B6A8ACB01EB64D890ADDB7B1FF95300F50C79AE40A37255EF706AC5CF91
              Function 05A9C478 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7817b8c938c3d0bd92e54bc967bee451f46ca70848251cd8d5d1562f9655cc60
              • Instruction ID: f5a44508873a6d649f66e32ab2d3d74e8fa4a21e3bebc886e10b42a0b7197b62
              • Opcode Fuzzy Hash: 7817b8c938c3d0bd92e54bc967bee451f46ca70848251cd8d5d1562f9655cc60
              • Instruction Fuzzy Hash: 53D1E534920B6A8ADB01EB64D990ADDB7B1FF95300F50C79AE40A37254EF706AC5CF91
              Function 07483E50 Relevance: .3, Instructions: 252COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9257e0744acc964157f296d70afb257fe43cc134de5443a8ccba900333a9d803
              • Instruction ID: 47ded11906ec89457544f0c9d1844a945a2a564bf8423c92f690f9deceda39fb
              • Opcode Fuzzy Hash: 9257e0744acc964157f296d70afb257fe43cc134de5443a8ccba900333a9d803
              • Instruction Fuzzy Hash: CFB10CB0E142198FDB54DFA9C580AAEFBB6FF89301F24815AE419A7355D730AD42CF60
              Function 07483E40 Relevance: .2, Instructions: 245COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f43b8cb5098628246ef54a693bc375cf12dd32bf555202cc4c612e7fe14c49d
              • Instruction ID: e93d49d141d96905422343350c1261162e8baaeef6200a53838418ecfcfe0932
              • Opcode Fuzzy Hash: 3f43b8cb5098628246ef54a693bc375cf12dd32bf555202cc4c612e7fe14c49d
              • Instruction Fuzzy Hash: CFB11AB0E142198FDB54DFA9C580AAEFBF2FF89201F24815AE419A7355D730AD42CF61
              Function 05A94CF0 Relevance: .2, Instructions: 223COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d8da18ebc5551768a015baa2bff2be8cd00bcc2f1ee5529fcd00b636a84d6aa
              • Instruction ID: e65387d74e57d41dc71a0f807985a99ed1333a5f042192ad42279b0b9de067d2
              • Opcode Fuzzy Hash: 8d8da18ebc5551768a015baa2bff2be8cd00bcc2f1ee5529fcd00b636a84d6aa
              • Instruction Fuzzy Hash: 5FC1F8B98A07458BE711CF65E94A1897FBBBB85324F144309E1616F2D0DFB8348ADF44
              Function 07483EFB Relevance: .2, Instructions: 211COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e549b3681168a9920feed7c92af7088a9268fafedf4d8a3970f422d543ea88e
              • Instruction ID: 528e5b0928e55b130cea6b48e31a84bcf67bd6e5b9c6ce102cee69e6bb1e08dd
              • Opcode Fuzzy Hash: 7e549b3681168a9920feed7c92af7088a9268fafedf4d8a3970f422d543ea88e
              • Instruction Fuzzy Hash: ABA13DB4E142198FDB54DF98C580AAEFBB2FF89301F24955AE409A7355D730AD42CF60
              Function 07481E40 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aff359e615ba983f524b01250fb6f07c03c9ca0e3200b8142a918fa026c6cfe9
              • Instruction ID: bd3d1a26970f7f6065b9f81590a4f76964d8aa4dad3548418c602f797c445270
              • Opcode Fuzzy Hash: aff359e615ba983f524b01250fb6f07c03c9ca0e3200b8142a918fa026c6cfe9
              • Instruction Fuzzy Hash: 5C71D0B4E15219CFCB44DFA9C5849AEFBF2FF49210F14896AE415AB361D334AA42CF50
              Function 07481E50 Relevance: .2, Instructions: 178COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5440373b55813215228a50480bd2bc0d35d37e597bc4cc0209e6e5eed83ed74b
              • Instruction ID: a895a24b44bba57e4eedd656dd12da7ce17af71edb3493bd9338d8a06ad9a940
              • Opcode Fuzzy Hash: 5440373b55813215228a50480bd2bc0d35d37e597bc4cc0209e6e5eed83ed74b
              • Instruction Fuzzy Hash: 8681D0B4E1121DCFCB44DF99C5849AEFBF2FF89210F14895AE415AB260D734AA42CF90
              Function 07482A11 Relevance: .2, Instructions: 157COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b99293ab9ec1460eb364b2d52df2cc15a08c7ec96ae7df78a529cf0e63f5f63
              • Instruction ID: ce63a9563596fa80447536e30aed6a4d35d737311c5c8ac4cc390892b2a4dfb6
              • Opcode Fuzzy Hash: 9b99293ab9ec1460eb364b2d52df2cc15a08c7ec96ae7df78a529cf0e63f5f63
              • Instruction Fuzzy Hash: B86103B4E1521ADFCB44DFA8C581AEEFBF2FF89210F148556D405AB315D370A942CBA8
              Function 07482A20 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb99ddff6b35d6d33868c438de33c5b1e4440a46bceefa400a26706144b19d7c
              • Instruction ID: b10f0e246431291fed5048dd2b0796f29954c56cca71c7831960cf9c50b48d85
              • Opcode Fuzzy Hash: cb99ddff6b35d6d33868c438de33c5b1e4440a46bceefa400a26706144b19d7c
              • Instruction Fuzzy Hash: F06104B4E11219DFCB44DFA9C5819EEFBB2FF49210F14895AD405AB314D3709942CB98
              Function 0748B290 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b6e0167341f8681cc735cf0179b30229e0f7447ed3fd5b2754c2d09bd1e75792
              • Instruction ID: 860209660de4c3646496f3488fd7c86bacbf96ec23c34a4407c459bbe9bd7c4c
              • Opcode Fuzzy Hash: b6e0167341f8681cc735cf0179b30229e0f7447ed3fd5b2754c2d09bd1e75792
              • Instruction Fuzzy Hash: B851E1B4E1960DCFCB44DF9AD8845EEBBFAFB8A300F149426E819A7711D7309942CB50
              Function 0748DE70 Relevance: .1, Instructions: 136COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 146c3a5c130f67a5ae6a7b2909d1133557d8b2729903d080a77fdb3e14f0f03f
              • Instruction ID: ffedc2e5eefbc1b04309f200acdde040c4f95ec9e777d668a1930b444d4b526d
              • Opcode Fuzzy Hash: 146c3a5c130f67a5ae6a7b2909d1133557d8b2729903d080a77fdb3e14f0f03f
              • Instruction Fuzzy Hash: 10510AB0E002298FDB54DFA9C5805AEFBF2FF89305F24816AD418AB355D731A942CF61
              Function 0748E382 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee02abc060792560621dc335d71afbd07ddd2a5a11321020006be07b24820255
              • Instruction ID: 619b2c905d677344b762eaee05cc437718baa0a0cc4ce5d03612352aa78c3131
              • Opcode Fuzzy Hash: ee02abc060792560621dc335d71afbd07ddd2a5a11321020006be07b24820255
              • Instruction Fuzzy Hash: 86511BB4E002298FDB54DFA9C5805AEFBF6FF89305F24816AD418A7315D731A942CF61
              Function 0748E7B8 Relevance: .1, Instructions: 132COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0e47384423383625c0ebb43f822c9998a5fc01ebbff1bd586a811723bffb05a
              • Instruction ID: d1debd1e8ab9c3b481979189532cd470344882d1d16dc4e8778e16de95963bf7
              • Opcode Fuzzy Hash: b0e47384423383625c0ebb43f822c9998a5fc01ebbff1bd586a811723bffb05a
              • Instruction Fuzzy Hash: FE510BB4E002298BDB54DFA9C5805AEFBF2FF89305F24816AD418AB315D7319942CF61
              Function 074834B1 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93bc61f7710c8aee913eb83a2a3e3dd242743a6d5f1fe55267497ab6a7fe91c6
              • Instruction ID: 6c8dca483cac465b2a076de931786219ff3d4d5bc1672a7722ecd754c0171088
              • Opcode Fuzzy Hash: 93bc61f7710c8aee913eb83a2a3e3dd242743a6d5f1fe55267497ab6a7fe91c6
              • Instruction Fuzzy Hash: E25177B4E1520A9FCB44DFAAC5804EEFFB2EF89310F25C56AC405B7314D3349A428BA5
              Function 074834C0 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9f0f426ff05af34c35b9be775c720da324e9ba3c16578a53f7dcb8aa5d556e4
              • Instruction ID: 2b6cbc87708ae37bffd8c55edde754363e171eb2aded8c6ee93450776995460a
              • Opcode Fuzzy Hash: c9f0f426ff05af34c35b9be775c720da324e9ba3c16578a53f7dcb8aa5d556e4
              • Instruction Fuzzy Hash: B25145B0E1520ADBCB44DFAAC5805EEFBB2EF89700F25D86AC405B7314D3349A428B95
              Function 07481C40 Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15c6bc3c16e47df6f3826a9984cbb99aa015ba2ce518a47b3d5d8e5aed85da78
              • Instruction ID: 8a241ec0dab352ccf838775fc44bb39b52d434547c2999eef69f1ae1e5ee11f5
              • Opcode Fuzzy Hash: 15c6bc3c16e47df6f3826a9984cbb99aa015ba2ce518a47b3d5d8e5aed85da78
              • Instruction Fuzzy Hash: 62415BB0E1520D9BCB48DFA9C5819EEFBB2FF85240F24C99FC015AB315D7349A428B95
              Function 07481C50 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1463221314.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7480000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66ca4395b344489a34246ec9d1cdf562de6d07d0e299acccf96458716656a53d
              • Instruction ID: 10abd7fe81483b4d6f659b54d4f62d3001b8c9eb1383645edd041c62abe044bd
              • Opcode Fuzzy Hash: 66ca4395b344489a34246ec9d1cdf562de6d07d0e299acccf96458716656a53d
              • Instruction Fuzzy Hash: 69410BB0E1510DDBCB88EF9AC5819AEFBB6FF85240F14D99BC015A7214D7309A428B95
              Function 05A9D0D8 Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f53fe275a82735649ad66208109eff7c77fc2aaae5599dc1d28c81c654955a62
              • Instruction ID: ab0edfbfa90553c2ff37f94cbf53a2aabdb6ec03a7552b3772c068c2d5827b7a
              • Opcode Fuzzy Hash: f53fe275a82735649ad66208109eff7c77fc2aaae5599dc1d28c81c654955a62
              • Instruction Fuzzy Hash: 5E312A71E006189BEB58CFABC94069EFBF3AFC9210F14C566C408A6228DB3059828F51
              Function 05A9D0C9 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1458800239.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5a90000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 624452b2524f7fc553573f108504f6e08d90dd953b9fc60fc644d570f681c1d8
              • Instruction ID: d73d982055539c9ee85dcf04271cb7493fb0ef8c8a1c051b282eb12bce8c7531
              • Opcode Fuzzy Hash: 624452b2524f7fc553573f108504f6e08d90dd953b9fc60fc644d570f681c1d8
              • Instruction Fuzzy Hash: 86310B71E156599FDB58CFABC84069EFFF3AFC9200F18C5AAC408AA225DB344586CF51

              Execution Graph

              Execution Coverage:0.8%
              Dynamic/Decrypted Code Coverage:5.3%
              Signature Coverage:9.8%
              Total number of Nodes:133
              Total number of Limit Nodes:13
              execution_graph 94837 42f543 94838 42f553 94837->94838 94839 42f559 94837->94839 94842 42e463 94839->94842 94841 42f57f 94845 42c5a3 94842->94845 94844 42e47e 94844->94841 94846 42c5bd 94845->94846 94847 42c5ce RtlAllocateHeap 94846->94847 94847->94844 94848 4249a3 94853 4249bc 94848->94853 94849 424a4c 94850 424a04 94856 42e383 94850->94856 94853->94849 94853->94850 94854 424a47 94853->94854 94855 42e383 RtlFreeHeap 94854->94855 94855->94849 94859 42c5f3 94856->94859 94858 424a14 94860 42c610 94859->94860 94861 42c621 RtlFreeHeap 94860->94861 94861->94858 94964 42f673 94965 42f5e3 94964->94965 94966 42e463 RtlAllocateHeap 94965->94966 94968 42f640 94965->94968 94967 42f61d 94966->94967 94969 42e383 RtlFreeHeap 94967->94969 94969->94968 94970 42b873 94971 42b88d 94970->94971 94974 1962df0 LdrInitializeThunk 94971->94974 94972 42b8b5 94974->94972 94975 424613 94976 42462f 94975->94976 94977 424657 94976->94977 94978 42466b 94976->94978 94980 42c283 NtClose 94977->94980 94979 42c283 NtClose 94978->94979 94981 424674 94979->94981 94982 424660 94980->94982 94985 42e4a3 RtlAllocateHeap 94981->94985 94984 42467f 94985->94984 94862 4173a3 94864 4173c7 94862->94864 94863 4173ce 94864->94863 94865 4173ed 94864->94865 94869 42f923 94864->94869 94867 417403 LdrLoadDll 94865->94867 94868 41741a 94865->94868 94867->94868 94871 42f949 94869->94871 94870 42f99b 94870->94865 94871->94870 94874 429783 94871->94874 94873 42f9f0 94873->94865 94875 4297e1 94874->94875 94877 4297f5 94875->94877 94878 417423 94875->94878 94877->94873 94879 4173f6 94878->94879 94880 417403 LdrLoadDll 94879->94880 94881 41741a 94879->94881 94880->94881 94881->94877 94986 413653 94989 42c503 94986->94989 94990 42c520 94989->94990 94993 1962c70 LdrInitializeThunk 94990->94993 94991 413675 94993->94991 94994 413833 94996 413853 94994->94996 94997 4138bc 94996->94997 94999 41b033 RtlFreeHeap LdrInitializeThunk 94996->94999 94998 4138b2 94999->94998 94882 4241a4 94883 4241c5 94882->94883 94884 4241e3 94883->94884 94885 4241f8 94883->94885 94886 42c283 NtClose 94884->94886 94893 42c283 94885->94893 94888 4241ec 94886->94888 94889 424238 94890 424201 94890->94889 94891 42e383 RtlFreeHeap 94890->94891 94892 42422c 94891->94892 94894 42c2a0 94893->94894 94895 42c2b1 NtClose 94894->94895 94895->94890 95000 1962b60 LdrInitializeThunk 94896 401aec 94897 401aed 94896->94897 94900 42fa13 94897->94900 94898 401b5c 94898->94898 94903 42df33 94900->94903 94904 42df59 94903->94904 94913 4072f3 94904->94913 94906 42df6f 94912 42dfcb 94906->94912 94916 41ad23 94906->94916 94908 42df8e 94909 42dfa3 94908->94909 94910 42c643 ExitProcess 94908->94910 94927 42c643 94909->94927 94910->94909 94912->94898 94930 416053 94913->94930 94915 407300 94915->94906 94917 41ad4f 94916->94917 94948 41ac13 94917->94948 94920 41ad94 94922 41adb0 94920->94922 94925 42c283 NtClose 94920->94925 94921 41ad7c 94923 41ad87 94921->94923 94924 42c283 NtClose 94921->94924 94922->94908 94923->94908 94924->94923 94926 41ada6 94925->94926 94926->94908 94928 42c65d 94927->94928 94929 42c66e ExitProcess 94928->94929 94929->94912 94931 416070 94930->94931 94933 416089 94931->94933 94934 42cd03 94931->94934 94933->94915 94936 42cd1d 94934->94936 94935 42cd4c 94935->94933 94936->94935 94941 42b8c3 94936->94941 94939 42e383 RtlFreeHeap 94940 42cdc5 94939->94940 94940->94933 94942 42b8e0 94941->94942 94945 1962c0a 94942->94945 94943 42b90c 94943->94939 94946 1962c11 94945->94946 94947 1962c1f LdrInitializeThunk 94945->94947 94946->94943 94947->94943 94949 41ad09 94948->94949 94950 41ac2d 94948->94950 94949->94920 94949->94921 94954 42b963 94950->94954 94953 42c283 NtClose 94953->94949 94955 42b97d 94954->94955 94958 19635c0 LdrInitializeThunk 94955->94958 94956 41acfd 94956->94953 94958->94956 94959 42492c 94960 424932 94959->94960 94961 42c283 NtClose 94960->94961 94963 424937 94960->94963 94962 42495c 94961->94962

              Executed Functions

              Function 004173A3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 41 4173a3-4173cc call 42f083 44 4173d2-4173e0 call 42f683 41->44 45 4173ce-4173d1 41->45 48 4173f0-417401 call 42da03 44->48 49 4173e2-4173e8 call 42f923 44->49 54 417403-417417 LdrLoadDll 48->54 55 41741a-41741d 48->55 52 4173ed 49->52 52->48 54->55
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417415
              Memory Dump Source
              • Source File: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_400000_PO#86637.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: dede90169ca1db16459994232f99263c7f2dcb4bb26b17399f27a86b55b0f282
              • Instruction ID: 803bad41f6ba97ca028c5b6ebb90ab713b5e5efc40e90978f485b4949f8331b9
              • Opcode Fuzzy Hash: dede90169ca1db16459994232f99263c7f2dcb4bb26b17399f27a86b55b0f282
              • Instruction Fuzzy Hash: 7E015EB1E0420DBBDB10DAE5DC42FDEB7B89B54308F4081AAED0897241F634EB588B95
              Function 0042C283 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 61 42c283-42c2bf call 404673 call 42d4f3 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C2BA
              Memory Dump Source
              • Source File: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_400000_PO#86637.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: a3b23e781c8297b53f8e4474b48c3a032b94d0ec253a5db592d64cd3afe2f326
              • Instruction ID: 3acc76f724e085259d6ac582d8d2a4bb54828ea73bc7891a87a57e5bec1fb20c
              • Opcode Fuzzy Hash: a3b23e781c8297b53f8e4474b48c3a032b94d0ec253a5db592d64cd3afe2f326
              • Instruction Fuzzy Hash: 85E04F726002147BD620BA5ADC41F97776CDBC6714F00441AFB0867241C6B5B91187F8
              Function 01962B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 75 1962b60-1962b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 3c1bc8fccb3fb1d7272736cf0f9c9b03d16dd65b7695a18d89b3fec152b40d36
              • Instruction ID: 88cdd937a8cd9545f647cf91fed95189d442a3eeaab275bb04f8af9c1128e21c
              • Opcode Fuzzy Hash: 3c1bc8fccb3fb1d7272736cf0f9c9b03d16dd65b7695a18d89b3fec152b40d36
              • Instruction Fuzzy Hash: BE9002612025000341097158441C616804E9BE0201B55C031E1054590DC52589916225
              Function 01962DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 77 1962df0-1962dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b718d9d7ec66ca47dea8d14403af8c3bf72dd340a34540cb47ce01b1113aa437
              • Instruction ID: 029e9dac7dce4cfb8fe1404899387a03c5af09e565dc05cf1cd320d702fa6585
              • Opcode Fuzzy Hash: b718d9d7ec66ca47dea8d14403af8c3bf72dd340a34540cb47ce01b1113aa437
              • Instruction Fuzzy Hash: 3E90023120150413D1157158450C707404D9BD0241F95C422A0464558DD6568A52A221
              Function 01962C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 76 1962c70-1962c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 8055aea14ab7b88b25826921186c591e568560d36c90202e13de019ae869baf3
              • Instruction ID: c4e71a7086309dd2fe3367d763fcf027edf77506a9fbc6924d95cec9ac6a08c2
              • Opcode Fuzzy Hash: 8055aea14ab7b88b25826921186c591e568560d36c90202e13de019ae869baf3
              • Instruction Fuzzy Hash: 8D90023120158802D1147158840C74A40499BD0301F59C421A4464658DC69589917221
              Function 019635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 78 19635c0-19635cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f04a9be9ef99b2f2feb17b9d2beb60f1f9fb6f6a528a03d08e6960eb55dc3bc3
              • Instruction ID: 1ae0065d480f3158949c3ded3739873f828b38a783ab809c5d9955b2036f13fa
              • Opcode Fuzzy Hash: f04a9be9ef99b2f2feb17b9d2beb60f1f9fb6f6a528a03d08e6960eb55dc3bc3
              • Instruction Fuzzy Hash: A690023160560402D1047158451C70650499BD0201F65C421A0464568DC7958A5166A2
              Function 0042C5F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 42c5f3-42c637 call 404673 call 42d4f3 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C632
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_400000_PO#86637.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: `A
              • API String ID: 3298025750-2149027389
              • Opcode ID: acdd237a7a728e10ed32de03d3610bc6aa7b5a30a2fd813fd7ddd9c11810606e
              • Instruction ID: ef4f435ce52e82b347afb479fc27a960a2fd8fe731e4cd794d162683faa6edbf
              • Opcode Fuzzy Hash: acdd237a7a728e10ed32de03d3610bc6aa7b5a30a2fd813fd7ddd9c11810606e
              • Instruction Fuzzy Hash: A1E092B1204204BBC614EE99EC45FAB37ACEFC5714F00441AFA09A7241D7B9B91087B8
              Function 00417423 Relevance: 1.7, APIs: 1, Instructions: 158libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 12 417423-41743a 13 417440-41744a 12->13 14 4173f6-417401 13->14 15 41744c-41747f 13->15 16 417403-417417 LdrLoadDll 14->16 17 41741a-41741d 14->17 15->13 20 417481-4174ac 15->20 16->17 21 417512-417513 20->21 22 4174ae-4174c3 20->22 24 417501 22->24 25 4174c5-4174ce 22->25 26 4174d1-417500 25->26 27 41750e 25->27 26->24 28 417510 27->28 29 417514-41752b call 42f0e3 27->29 28->21 33 41752d-41755e call 42f0e3 call 42b263 29->33 34 41755f-41757f call 42b263 29->34
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417415
              Memory Dump Source
              • Source File: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_400000_PO#86637.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 0e700db7e7ae3d175effefb3dd905522a701cb4ed781b9a175d105c238978748
              • Instruction ID: 2bdc795f987955a10cd13a1914c58911e0966c6eebcaf474662c92624490cd5e
              • Opcode Fuzzy Hash: 0e700db7e7ae3d175effefb3dd905522a701cb4ed781b9a175d105c238978748
              • Instruction Fuzzy Hash: 85419C31A08345ABDB11DBB8DC81BEABBB8DF06758F0406EFFD448B142E6369545CB91
              Function 0042C5A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 56 42c5a3-42c5e4 call 404673 call 42d4f3 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E1BE,?,?,00000000,?,0041E1BE,?,?,?), ref: 0042C5DF
              Memory Dump Source
              • Source File: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_400000_PO#86637.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 6ae38073c7aa3304867fd0be910f8801875f33a6ff849def5cfbe6102455eb91
              • Instruction ID: 369c668a4cc3a630eb3a9f8dc206576169b1919bd89476b6c8e575149a96f991
              • Opcode Fuzzy Hash: 6ae38073c7aa3304867fd0be910f8801875f33a6ff849def5cfbe6102455eb91
              • Instruction Fuzzy Hash: 40E06DB2604214BBD614EF59EC85F9B73ACEFC9714F004419FA08A7241E675B91087B8
              Function 0042C643 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 66 42c643-42c67c call 404673 call 42d4f3 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_400000_PO#86637.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: d07bb6d48f55c1af12db6d259e200f4b880b1beeb5d75b6632a6234d11049001
              • Instruction ID: 55c01a96584f11098ac7db8d9c475956f6f860f285eb3010744f92bad983cb5b
              • Opcode Fuzzy Hash: d07bb6d48f55c1af12db6d259e200f4b880b1beeb5d75b6632a6234d11049001
              • Instruction Fuzzy Hash: F5E086312002547BD610FA5AEC41FEB775CDFC6714F40441AFA08A7282D675BA0187F4
              Function 01962C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 71 1962c0a-1962c0f 72 1962c11-1962c18 71->72 73 1962c1f-1962c26 LdrInitializeThunk 71->73
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 6dd2e59d232d9de3b60771a625f94e67bf46f49175e58542fe50eaa73a6dcd2d
              • Instruction ID: b69de59f4f67094dbdc195185d6c1637f056c8ff925a8a577b81c70f78390aad
              • Opcode Fuzzy Hash: 6dd2e59d232d9de3b60771a625f94e67bf46f49175e58542fe50eaa73a6dcd2d
              • Instruction Fuzzy Hash: E5B09B71D015C5C9DA15F764460C71779487BD0701F15C071D2070641F473CC1D1E275

              Non-executed Functions

              Function 019A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 9fb1860ce55770feb1d14c7b4cd931898096c312aebe27c11c97cb0be11cca65
              • Instruction ID: 838f389c0dafd2fff93fe5340a4e5acdee2ff53e1cf9256df4c05cd7e97ab564
              • Opcode Fuzzy Hash: 9fb1860ce55770feb1d14c7b4cd931898096c312aebe27c11c97cb0be11cca65
              • Instruction Fuzzy Hash: 95928071604342AFE721CF28C880F6BB7E8BB84754F54492DFA98D7251D770E948CB92
              Function 01958620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • Critical section address, xrefs: 01995425, 019954BC, 01995534
              • Critical section debug info address, xrefs: 0199541F, 0199552E
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019954CE
              • double initialized or corrupted critical section, xrefs: 01995508
              • corrupted critical section, xrefs: 019954C2
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019954E2
              • undeleted critical section in freed memory, xrefs: 0199542B
              • Thread identifier, xrefs: 0199553A
              • 8, xrefs: 019952E3
              • Address of the debug info found in the active list., xrefs: 019954AE, 019954FA
              • Critical section address., xrefs: 01995502
              • Invalid debug info address of this critical section, xrefs: 019954B6
              • Thread is in a state in which it cannot own a critical section, xrefs: 01995543
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0199540A, 01995496, 01995519
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: 733c2656ad7cff0df20baaf20b7774f9b0de794cbb154625c3178e5bdad0638e
              • Instruction ID: 7b3aab70945cd82104ecf3c531503453aa368a29bc49063ba56ef07a1e8f3db9
              • Opcode Fuzzy Hash: 733c2656ad7cff0df20baaf20b7774f9b0de794cbb154625c3178e5bdad0638e
              • Instruction Fuzzy Hash: DA818F71E00348EFEF21CF99C845BAEBBB9AB88B14F11415AE50CB7291D371A941CB60
              Function 019529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019922E4
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0199261F
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01992409
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01992624
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01992412
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019924C0
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01992506
              • @, xrefs: 0199259B
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019925EB
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01992602
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01992498
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: 221aee61dedd2e35374e4e3ebd437fa1339877d0a756018ac929443d6877f8a5
              • Instruction ID: 91124e71ffa9f6a7cef838340f2d2c3c3cd6dc52475405812298257f002f8426
              • Opcode Fuzzy Hash: 221aee61dedd2e35374e4e3ebd437fa1339877d0a756018ac929443d6877f8a5
              • Instruction Fuzzy Hash: 290271B1D00229AFDF61DB58CC80BD9B7B8AB54714F4441DAAA4DB7242D730AE84CF99
              Function 019C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: 39cd2dff7b9f5c7656d609c10743037f2b8977358c81ab6911cb1ac135140fbe
              • Instruction ID: 0dc24f6ebc78a7732deebfb1de4ae928325f8a60ead8f886f79904a4327564bb
              • Opcode Fuzzy Hash: 39cd2dff7b9f5c7656d609c10743037f2b8977358c81ab6911cb1ac135140fbe
              • Instruction Fuzzy Hash: 4751A0715143159BD729DF188844BABBBECEF94B50F14492DEA9DC3240E770D608CB93
              Function 019D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: edbdb7ab2936414c40a4d26edd50910b07d2ffde127f4db93e1d9916f7632cdf
              • Instruction ID: bcfe491c1257f3a6419ce5cc78e787da3aa8c03a3ddf44fb51f41e1148a0ce04
              • Opcode Fuzzy Hash: edbdb7ab2936414c40a4d26edd50910b07d2ffde127f4db93e1d9916f7632cdf
              • Instruction Fuzzy Hash: 04D1ED39600686DFDB22DFA8C440AADBFF6FF89714F08C059F94A9B252C7349981CB10
              Function 019A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 019A8A3D
              • VerifierDebug, xrefs: 019A8CA5
              • HandleTraces, xrefs: 019A8C8F
              • VerifierDlls, xrefs: 019A8CBD
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 019A8A67
              • VerifierFlags, xrefs: 019A8C50
              • AVRF: -*- final list of providers -*- , xrefs: 019A8B8F
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: 343d64d0b2cabf66a10a8a323ef1d7222ca2a76a0156468951f7ef095d46f07e
              • Instruction ID: d8f0e35b5a0802e3fe6077dacaf4142f5d143f16e63dc8681cd8ce830b981e68
              • Opcode Fuzzy Hash: 343d64d0b2cabf66a10a8a323ef1d7222ca2a76a0156468951f7ef095d46f07e
              • Instruction Fuzzy Hash: B4912472A41316AFD322EF688890F5B77B8EBD5B15F850818FA4D6B240C770AC09CBD5
              Function 0192EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: a8f65f47745e921e85487f90d6a744f8ccd430c228f9ecaf5d2ac588ec832f24
              • Instruction ID: d62441c44071e3a3cbcbe6e4a549ed5ea10883060a8ef0f46c652d7b3583d78b
              • Opcode Fuzzy Hash: a8f65f47745e921e85487f90d6a744f8ccd430c228f9ecaf5d2ac588ec832f24
              • Instruction Fuzzy Hash: 83A25A74A0562A8FDB64DF28CD98BADBBB5BF45705F2442E9D90DA7254DB309E80CF00
              Function 019563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 8ea7361f02addd29e466fb21943f212eb47d06df3d73392997433a74ff4f4177
              • Instruction ID: 39ba4bbf45e16e386c47d5a913cacb0be207af00f9f3897c9a16b70942305133
              • Opcode Fuzzy Hash: 8ea7361f02addd29e466fb21943f212eb47d06df3d73392997433a74ff4f4177
              • Instruction Fuzzy Hash: F7913470B003169BEF36DF18D944BAE7BA9BF91B25F500168E90CBB285D7B49843C791
              Function 0191645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • LdrpInitShimEngine, xrefs: 019799F4, 01979A07, 01979A30
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01979A01
              • apphelp.dll, xrefs: 01916496
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019799ED
              • minkernel\ntdll\ldrinit.c, xrefs: 01979A11, 01979A3A
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01979A2A
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: 5704d7c81f02614730e24668286f8ce27ff8cc6db836a1135fb6b94dc46802e7
              • Instruction ID: 73cfb89cca0dad7e0be358aae39222391d1547f827cfb4d3b07e31ebed31053e
              • Opcode Fuzzy Hash: 5704d7c81f02614730e24668286f8ce27ff8cc6db836a1135fb6b94dc46802e7
              • Instruction Fuzzy Hash: 8451CE716083099FE725EF24C881EAB77E8FFC4758F00091DE589972A4DA70E984CB92
              Function 0195C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 01998181, 019981F5
              • LdrpInitializeImportRedirection, xrefs: 01998177, 019981EB
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 019981E5
              • LdrpInitializeProcess, xrefs: 0195C6C4
              • minkernel\ntdll\ldrinit.c, xrefs: 0195C6C3
              • Loading import redirection DLL: '%wZ', xrefs: 01998170
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 5ec35e4192d721516705cf6ed2dd50febd124e8e4a9aff2cd57b16d069ffc839
              • Instruction ID: 4b0ea49e231d2ac0249253796e71f977fc60fb051037c9785267ccda51ef8478
              • Opcode Fuzzy Hash: 5ec35e4192d721516705cf6ed2dd50febd124e8e4a9aff2cd57b16d069ffc839
              • Instruction Fuzzy Hash: A131F2B16443069FD724EF28DC46E2A7798FFD5B10F04055CF98DAB291E660ED05C7A2
              Function 01952674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • RtlGetAssemblyStorageRoot, xrefs: 01992160, 0199219A, 019921BA
              • SXS: %s() passed the empty activation context, xrefs: 01992165
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019921BF
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01992180
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01992178
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0199219F
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: ab05b0ec81f0b47774a6e9c689b91ab40d2e4733a2f8d749efc68a8a005f3cdd
              • Instruction ID: 4e4dfbd1684bcfbfd2f779d164df1a308044d61face4a9bda5167790122ca553
              • Opcode Fuzzy Hash: ab05b0ec81f0b47774a6e9c689b91ab40d2e4733a2f8d749efc68a8a005f3cdd
              • Instruction Fuzzy Hash: A731C876A41215BBEB22DBD98C85F6A7B7CEBA5A51F054059FF0C77140D370AA00C7A1
              Function 0196096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01962DF0: LdrInitializeThunk.NTDLL ref: 01962DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01960BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01960BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01960D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01960D74
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: c78e7c5477a1d9b6e594e4b9e624661067a83a8e6d73a68620339844a4214d96
              • Instruction ID: c7bf07c1fccbef7a43a73a65302aac0067a78d93559ea7956074b62a72e34581
              • Opcode Fuzzy Hash: c78e7c5477a1d9b6e594e4b9e624661067a83a8e6d73a68620339844a4214d96
              • Instruction Fuzzy Hash: AB423A75900715DFDB21CF68C880BAAB7F9FF44314F1445AAE98DAB241E770AA84CF61
              Function 0192A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 8f2d2f384c9040f6e941d0a9f9322be9df728f6ef95ec6f998478bb72bdfdb50
              • Instruction ID: 295e381bf8dc5c335f09fda432275a49f95eb1fb666045ce987ad5564573c3d6
              • Opcode Fuzzy Hash: 8f2d2f384c9040f6e941d0a9f9322be9df728f6ef95ec6f998478bb72bdfdb50
              • Instruction Fuzzy Hash: 24C1CD72608392CFD721DF58C144B6AB7E8FF84704F04496AF999CBA55E334CA49CB52
              Function 01958402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0195855E
              • LdrpInitializeProcess, xrefs: 01958422
              • minkernel\ntdll\ldrinit.c, xrefs: 01958421
              • @, xrefs: 01958591
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 69b2e1cdf97966f21dc1faa77ee83316d5d1bc3e4424a7bdf48ff5af229425a1
              • Instruction ID: 0b8a4027efa2cfb3e9876b0a99d7baf7a9ec79e9d38f1db8f86ae6633d98a76a
              • Opcode Fuzzy Hash: 69b2e1cdf97966f21dc1faa77ee83316d5d1bc3e4424a7bdf48ff5af229425a1
              • Instruction Fuzzy Hash: 43917E71508345AFE762DF66C840F6BBAECFB84744F40092EFA8892151E734DA45CB62
              Function 0195273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019921D9, 019922B1
              • SXS: %s() passed the empty activation context, xrefs: 019921DE
              • .Local, xrefs: 019528D8
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019922B6
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 3116243cbe8eaf45496f7df416a967993479de41ddca320ed1dae729817854c3
              • Instruction ID: f78dc8872868cbb2fc66482c24210b69526c2a1bbcca5430e48e19ce4c77306d
              • Opcode Fuzzy Hash: 3116243cbe8eaf45496f7df416a967993479de41ddca320ed1dae729817854c3
              • Instruction Fuzzy Hash: F0A1BE35900229DBDB25CF68C994BA9B7B8BF58314F2401E9DD0CAB351D730AE80CF90
              Function 01954AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
              Download Yara Rule
              Strings
              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0199342A
              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01993437
              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01993456
              • RtlDeactivateActivationContext, xrefs: 01993425, 01993432, 01993451
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
              • API String ID: 0-1245972979
              • Opcode ID: 63a04c9fed0dac0a6ec7019a98453b7bb13a2b834dd21bb0dd812532e46db05d
              • Instruction ID: ce9b867b1aa87a908cd6ed35fcdfb80b92e01ed5439d94c4da9499dd8170c176
              • Opcode Fuzzy Hash: 63a04c9fed0dac0a6ec7019a98453b7bb13a2b834dd21bb0dd812532e46db05d
              • Instruction Fuzzy Hash: BD6124366407129FDB62CF2DC841B6AB7E9BFC0B51F168529EC5DAB240E730E941CB91
              Function 019264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01981028
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019810AE
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01980FE5
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0198106B
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: 7ea066ea78b8b7d18bcdf4f876430523f0c828bc3caf09bcbdce9e9da4c885e4
              • Instruction ID: 87c2fe14cef8b42ad090f946c9ea7353f153fc75ad950f838126297f38588cb4
              • Opcode Fuzzy Hash: 7ea066ea78b8b7d18bcdf4f876430523f0c828bc3caf09bcbdce9e9da4c885e4
              • Instruction Fuzzy Hash: 2E71ABB19043159FDB21EF18C884F9B7BACAF95764F440868FD4C8A64AD334D589CBE2
              Function 0194245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • LdrpDynamicShimModule, xrefs: 0198A998
              • apphelp.dll, xrefs: 01942462
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0198A992
              • minkernel\ntdll\ldrinit.c, xrefs: 0198A9A2
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: 992477606965d11f12ba5b3f7b926b1ed7e5f9a82b3fdc2bde3c2433bc58f266
              • Instruction ID: bc168d3eb0993a879533bd0e63839c70b3b4bab88fa36a7afe6711f4c59fdccd
              • Opcode Fuzzy Hash: 992477606965d11f12ba5b3f7b926b1ed7e5f9a82b3fdc2bde3c2433bc58f266
              • Instruction Fuzzy Hash: F7317079A00201EFDB32EF5DD885E6ABBB9FFC4B10F16005AF908A7259D7B45982C740
              Function 019329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 01933264
              • HEAP[%wZ]: , xrefs: 01933255
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0193327D
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: ada9327ed28a47fcd8b294e6e6906c8f35af6739171300b550d65cb1b481d86f
              • Instruction ID: 2263b8c27ce2f3d33211e0634d25916320aa1cd3f7d30a45d4a5414921787a17
              • Opcode Fuzzy Hash: ada9327ed28a47fcd8b294e6e6906c8f35af6739171300b550d65cb1b481d86f
              • Instruction Fuzzy Hash: 7B92BE71E042499FDB25CF68C444BAEBBF5FF88304F188459E85AAB391D734AA45CF50
              Function 01930770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 06caf4823422a07489a170cfe05d53a012a80036db9cc709986192dd98c2c622
              • Instruction ID: d596229fc8f65af92ca0d801ae71ad85ce1a7eb8f95198049192b483b7be6b38
              • Opcode Fuzzy Hash: 06caf4823422a07489a170cfe05d53a012a80036db9cc709986192dd98c2c622
              • Instruction Fuzzy Hash: 57F1B030600606DFEB26DF68C894F6AB7F9FF84704F188568E51A9B381D734E985CB91
              Function 01946962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: 59f3e96fac97cccdb6c23c4c30323a2151996e33c1d0c4123e1af2e5986ae267
              • Instruction ID: b4dfce344fa4ffd7bca4fc37a81cd73a4a25dfe46c90aae3892eda59b3d8ae2e
              • Opcode Fuzzy Hash: 59f3e96fac97cccdb6c23c4c30323a2151996e33c1d0c4123e1af2e5986ae267
              • Instruction Fuzzy Hash: 11C27F716083459FE729CF68C881FABBBE9AFC9754F04892DE98D87241D734D805CB62
              Function 0191A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 4e280f3d210a0cdcbf61e4acdc2d501afeebff9a3a68fa55d781dc85dadd6e62
              • Instruction ID: 2a8999e040692932d369e8460a578ec4ac3d5a32533cc23cf7a6656bb6275088
              • Opcode Fuzzy Hash: 4e280f3d210a0cdcbf61e4acdc2d501afeebff9a3a68fa55d781dc85dadd6e62
              • Instruction Fuzzy Hash: F1A14C7191162A9BDB31DF68CC88BEAB7B8EF44711F1005EAEA0DA7250D7359E84CF50
              Function 01940BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • LdrpCheckModule, xrefs: 0198A117
              • minkernel\ntdll\ldrinit.c, xrefs: 0198A121
              • Failed to allocated memory for shimmed module list, xrefs: 0198A10F
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: 07fc91a1d0241e9256770ff7c7fc766f48e9aa1076acc6166339c14f8a41116c
              • Instruction ID: c0a087d71ac21cc61e6057796cc6317fc9d03c5fdf5b5638bbf2b5cba73fb47a
              • Opcode Fuzzy Hash: 07fc91a1d0241e9256770ff7c7fc766f48e9aa1076acc6166339c14f8a41116c
              • Instruction Fuzzy Hash: 3971D474E00205DFDB25EF68C940EAEB7F8FB88305F18446DE90ADB255E774A942CB54
              Function 0195C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • LdrpInitializePerUserWindowsDirectory, xrefs: 019982DE
              • Failed to reallocate the system dirs string !, xrefs: 019982D7
              • minkernel\ntdll\ldrinit.c, xrefs: 019982E8
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 35fb929a9492faacc59cd3ced9d6a3571295627755b281b2e63a8a7097d9dfb5
              • Instruction ID: 76487882c84e6f21c34d81e8df5588e95dda11b0a8a2a7547e910d475216a934
              • Opcode Fuzzy Hash: 35fb929a9492faacc59cd3ced9d6a3571295627755b281b2e63a8a7097d9dfb5
              • Instruction Fuzzy Hash: 92410F7A504305ABCB21EB68D844F5B7BECEF89B50F00492AF94CE3294E770E801CB91
              Function 019DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 019DC1C5
              • PreferredUILanguages, xrefs: 019DC212
              • @, xrefs: 019DC1F1
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 45189ca0c02d6fe248abe4c30dec879b29572b4e9f9f22cc428f3efe1dfebf98
              • Instruction ID: 57cdd234a5f477832a1b32e4620ec0564ddd32881005e953f59f40dd03cfa513
              • Opcode Fuzzy Hash: 45189ca0c02d6fe248abe4c30dec879b29572b4e9f9f22cc428f3efe1dfebf98
              • Instruction Fuzzy Hash: 18414171E00209EBEB11DBD8C891FEEBBBDAB54741F14816EE60DA7244D774DA44CB60
              Function 019B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 2118807f3bb7fa51df48c89b763be024ce3555dbc72045d02dc6ac2611135727
              • Instruction ID: 9c681878c66acf6ff3dc472ed3d824e888125aef252cf01e48617701546e37dc
              • Opcode Fuzzy Hash: 2118807f3bb7fa51df48c89b763be024ce3555dbc72045d02dc6ac2611135727
              • Instruction Fuzzy Hash: 40410731D006588FEB26DBD9CA84BEDBBB8FFA5340F140469D90AEB792D7349901DB50
              Function 019A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 019A4899
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019A4888
              • LdrpCheckRedirection, xrefs: 019A488F
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: d02741d3d2af9bcfacbdd62bb494cd931a7275062122eb30a5b3e2e33fae7307
              • Instruction ID: 6c7ae7c26651739b2eae2b4c3ebed81e6ec3e7ec7170401b2481fef2c16df7e2
              • Opcode Fuzzy Hash: d02741d3d2af9bcfacbdd62bb494cd931a7275062122eb30a5b3e2e33fae7307
              • Instruction Fuzzy Hash: 0D41D636A042919FCB21CE5CE840E267BE9EF89A51B8D056DED4DD7311D7B0D804CBD2
              Function 01930BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: 2499103d31ef662dbb8c49d386c36311f7969319515172962d3105cab7d520a0
              • Instruction ID: 49281c83a7be52c0e05a1e673784efc2bf6fe721c643a66c8339fb5ed54d68c5
              • Opcode Fuzzy Hash: 2499103d31ef662dbb8c49d386c36311f7969319515172962d3105cab7d520a0
              • Instruction Fuzzy Hash: 5E11DF313151069FEB29EA28C481F76B3BAEF80B1AF19852DF40ECB255DB30D885C750
              Function 019A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • LdrpInitializationFailure, xrefs: 019A20FA
              • Process initialization failed with status 0x%08lx, xrefs: 019A20F3
              • minkernel\ntdll\ldrinit.c, xrefs: 019A2104
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: ade7e680f7dd783d27a1bf9eade95174d07319f6acafb2ac04ff83ae0f870abc
              • Instruction ID: 6d07553d4e613c9963d3aa9a5f522c743e29a4fa56754e7a2a85af8c31de3886
              • Opcode Fuzzy Hash: ade7e680f7dd783d27a1bf9eade95174d07319f6acafb2ac04ff83ae0f870abc
              • Instruction Fuzzy Hash: C9F0C839640309AFEB25DB4CDC46F95376CFB81B54F500059FB0867281D5B0A645C691
              Function 019303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: 7d41fef1d44f2a2f80d99cee5a12f6fa0382f982d50a8a8f0b006b8e496b763d
              • Instruction ID: dd6a4c1ad3527acde49485146fe393ec19dbacb0ee441c5108a20eaa78966dc8
              • Opcode Fuzzy Hash: 7d41fef1d44f2a2f80d99cee5a12f6fa0382f982d50a8a8f0b006b8e496b763d
              • Instruction Fuzzy Hash: 9F714C71A0014A9FDB01DFA9C994FAEB7F8BF98704F154065E909E7251EB34EE05CBA0
              Function 0192A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Enter, xrefs: 0192AA13
              • LdrResSearchResource Exit, xrefs: 0192AA25
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: 9fe212cf137b0397c46bd9e4c6157d4359b31c7065f5ecf362ceeb080015c12b
              • Instruction ID: 625c2be09e23d8667ad361f54b224448d27a8d54bf492b5dbe96adbbc0adfeae
              • Opcode Fuzzy Hash: 9fe212cf137b0397c46bd9e4c6157d4359b31c7065f5ecf362ceeb080015c12b
              • Instruction Fuzzy Hash: 7DE19272E002299FEF22DF99CA80BAEBBBAFF54710F104425E909E7655D734D941CB50
              Function 019EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 95b8d3e0fed9d10f309e2ce79bbcf3fae4dbd5ee6824c8c29748937fced3be7a
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: FEC1D4312043429BE726CF28C849B6BBBE5BFD4715F044A2CF699C72A0D775D505CB51
              Function 0199E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 885a2d9942a80393cf949fbe5692d74c6b0f562763a23084e84c5cd6ba4b9693
              • Instruction ID: 77c2d5129a747505b22a82fda7b6f32c3633efebcbf57f150ee8cb5e7f69213a
              • Opcode Fuzzy Hash: 885a2d9942a80393cf949fbe5692d74c6b0f562763a23084e84c5cd6ba4b9693
              • Instruction Fuzzy Hash: 7F613971E00619AFDB25DFADC840BAEBBB9FB48700F14446EE64DEB291D731A940CB51
              Function 019C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: a900d20ba27c2739d93f74947f3bae246cd3eab2b7ea6cb61134c79de1201fa7
              • Instruction ID: c52b431c881809feb5c3de980efe0c1d890872e5a128f57bf9f427a6a58520be
              • Opcode Fuzzy Hash: a900d20ba27c2739d93f74947f3bae246cd3eab2b7ea6cb61134c79de1201fa7
              • Instruction Fuzzy Hash: 25512A71E0025DAFDF11DFA9CC90AEEBBBCEB54B54F100529E659B7290D6309A05CB60
              Function 019204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0192063D
              • kLsE, xrefs: 01920540
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: a4640bb3e06619c6041b9c4c9a18b4c0b19fa156b692cfef311cb2e67aa642b8
              • Instruction ID: adc785d93e27dcecbb3f29497f0313a80edda3e56f0546bb6f69844dff96a693
              • Opcode Fuzzy Hash: a4640bb3e06619c6041b9c4c9a18b4c0b19fa156b692cfef311cb2e67aa642b8
              • Instruction Fuzzy Hash: 2951DE715007528FD734EF29C444AA7BBE8AF84305F18493EFAAE87245E770D545CB92
              Function 0192A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0192A309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0192A2FB
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 9638e24e5d7ea4842564c4c7b14d9e819e6e5126b47cfac51929df90a6965061
              • Instruction ID: 04712ed76aba5f8611d0328dd27062e4204f33a779835a2f9aa5e3d9b85ccaa6
              • Opcode Fuzzy Hash: 9638e24e5d7ea4842564c4c7b14d9e819e6e5126b47cfac51929df90a6965061
              • Instruction Fuzzy Hash: 1541FF32A05269CFDB21DF59C840B6E7BF8FF85700F1440A9E908DB696E3B5CA00CB80
              Function 0195A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 2050ff5e24176b10d87ce1048a8da597b2de9852c5e7a5e9d1056597e752e697
              • Instruction ID: 9c4ff670e6a8a8c4b8b226f8a5437de4f094501f53fe0d1c1cfe161fe72dac9a
              • Opcode Fuzzy Hash: 2050ff5e24176b10d87ce1048a8da597b2de9852c5e7a5e9d1056597e752e697
              • Instruction Fuzzy Hash: 6B01F4B2241704AFD351DF24DD85F1677E8E794715F018A3DAA5CC7190E374D904CB5A
              Function 0192C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 8233b4d3a1ba50283db10fd1f23716aeecab244e3c332c155d949e51d7303b5a
              • Instruction ID: eb4aebad443ed107e35d44cd7009134624fe410d4df3d371897ca6437bbb3a7c
              • Opcode Fuzzy Hash: 8233b4d3a1ba50283db10fd1f23716aeecab244e3c332c155d949e51d7303b5a
              • Instruction Fuzzy Hash: 09825B75E002298FEB25CFA9C880BEDBBB5BF49710F148169E91DAB399D7309D41CB50
              Function 019A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 834c42152400c5cea01907e1181fe2b5e6029534d9de0c8e3f615323aa8dd052
              • Instruction ID: 67d52604c7c9f006f33d198fa91b9cc4b304e115943ec3738d41b8cb81b55dce
              • Opcode Fuzzy Hash: 834c42152400c5cea01907e1181fe2b5e6029534d9de0c8e3f615323aa8dd052
              • Instruction Fuzzy Hash: BF919471940219AFEB21DF95CD85FAEBBB8EF58B50F540065F608AB190D774ED04CBA0
              Function 019CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 8f70c96ef3dce7306b6b242a65c1c9aac67fa436b866617c58b19c60b8cf6f37
              • Instruction ID: 58fc892b426e54c3bc8ac97c2adc3d9be1aeb139b821dbd7f9cdbc04e6018cbc
              • Opcode Fuzzy Hash: 8f70c96ef3dce7306b6b242a65c1c9aac67fa436b866617c58b19c60b8cf6f37
              • Instruction Fuzzy Hash: C4917032901609AFDB22EBA5DC44FAFBF7EEF85B50F100019F54AA7250D774A901CB52
              Function 0195A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: 2223ca7e834c1a19104d23a754c7a17aca67778ba6960a634a0dabd2ac911ee5
              • Instruction ID: 1b38fbd55edf5254e1260191aa135ad1e8456824772de97618bc6e5c331babf7
              • Opcode Fuzzy Hash: 2223ca7e834c1a19104d23a754c7a17aca67778ba6960a634a0dabd2ac911ee5
              • Instruction Fuzzy Hash: 91718275E0030ADFDF28CF9DD590AADBBB5BF88701F14852EE909AB241E7319941CB60
              Function 019C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: b71a324766a22466bcd36682701b56d31622043fe7198683109dea4a9ee12ce9
              • Instruction ID: 4f513e71bec524b2820dee9799eb25463b8ae4b6ce39d74d90b7895c24a881d3
              • Opcode Fuzzy Hash: b71a324766a22466bcd36682701b56d31622043fe7198683109dea4a9ee12ce9
              • Instruction Fuzzy Hash: 7B519172E0022ADFDF10DF99D850EAEBBB8AF44F50F05412DEA59BB244D3349901CBA5
              Function 0193E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: de7937174e64069d93a65b50b9ab87c7fb2ec688e95bf35af917b3d9e5c94268
              • Instruction ID: d2258577c478e36fccfae1ad2fe0f5b9c2e9eab229f1e24ea28dece1815f98ff
              • Opcode Fuzzy Hash: de7937174e64069d93a65b50b9ab87c7fb2ec688e95bf35af917b3d9e5c94268
              • Instruction Fuzzy Hash: 11418072508346ABD722DA75C880FABB7ECAFC8714F44092DFA8DD7180E674DA04C796
              Function 0199C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: cbc6312bb4e72247c0f3061148fedb022604477648a86640751d65dfceba604f
              • Instruction ID: 342945721f9d929766314de3d3b8a6b966cfa8ad2b2c64b92a6e2c213b69433b
              • Opcode Fuzzy Hash: cbc6312bb4e72247c0f3061148fedb022604477648a86640751d65dfceba604f
              • Instruction Fuzzy Hash: 4C414FB1D0022DAFDF21DB64CC84FDEB77CAB85714F0045A5AA0CAB140DB709E898FA5
              Function 019B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: b37743291a6b5d1652cbe058964396956e5a1e5828943156cd02e27720d41a21
              • Instruction ID: 8509a11e7c90f66a7c5d3fd461478a8cb8ec51bbc8265d804a286c23989912fc
              • Opcode Fuzzy Hash: b37743291a6b5d1652cbe058964396956e5a1e5828943156cd02e27720d41a21
              • Instruction Fuzzy Hash: 08310831E007199BEB22DB69C991BEE7BBCDF45704F144028EA49AB282D775FC05CB50
              Function 019A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 019A895E
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: b4258c0171550e8867b907b892812dcf31aa92f32df951dba2933cebe4392877
              • Instruction ID: c432c760c7987b3d3df22dc1a1ad2777f7fddab6235a29fd4d1bf81e68c07135
              • Opcode Fuzzy Hash: b4258c0171550e8867b907b892812dcf31aa92f32df951dba2933cebe4392877
              • Instruction Fuzzy Hash: BE012B36600211AFE6216B59CC84E967F6AFFC6656F84042CF64D06555CB30688AC7D2
              Function 019C2000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58f16fbc3f3e9b03b10c62942ef89dedb3c9c693e7343a6c60ca41d0a6767381
              • Instruction ID: d0feb11da6f173f9b965ae35cb28224121ddd6ae2babd69cd904f0b1c2c68594
              • Opcode Fuzzy Hash: 58f16fbc3f3e9b03b10c62942ef89dedb3c9c693e7343a6c60ca41d0a6767381
              • Instruction Fuzzy Hash: D842C1356083419BE725CF68C890A6BBBE9BFC8B40F48092DFACA97250D771D945CB53
              Function 019B8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eea966165ad826f411fe4a88e09fe3217c7f2a6b1654c924ef90d49e6c6f59e2
              • Instruction ID: 762146d8e4ec7bddb2b231500e95478fb1c93f559a9ff86dafc5386d23505d92
              • Opcode Fuzzy Hash: eea966165ad826f411fe4a88e09fe3217c7f2a6b1654c924ef90d49e6c6f59e2
              • Instruction Fuzzy Hash: 23425C75E102199FEB24CF69C981BEDBBF9BF88301F148099E94DAB241D7349985CF50
              Function 01932840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf9a2615cb311457ece61da935b3d4957d1e53ba010573efca3fe1d8d2aa8a68
              • Instruction ID: 7934d0c4b30540e5a0d983e8df1bc88ff33ac2060526a8a4bab95b429c9efc11
              • Opcode Fuzzy Hash: cf9a2615cb311457ece61da935b3d4957d1e53ba010573efca3fe1d8d2aa8a68
              • Instruction Fuzzy Hash: F432EC70A007558BEB25EF69C844BBEBBF6BF84705F24451DD58E9F284D735A802CB90
              Function 019CA118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f1e8a3d3e3bdac071bd5feb9394ed534b4c5ce70a05dda4c444e26ddb785004
              • Instruction ID: 7d5a6d2e9a79005cece29ffff613995e287f951329a0e26cd523f7793ff0f5b3
              • Opcode Fuzzy Hash: 6f1e8a3d3e3bdac071bd5feb9394ed534b4c5ce70a05dda4c444e26ddb785004
              • Instruction Fuzzy Hash: CE22CE706046A98BEB25CF29C094776BBF5BF44B41F08885DD9CA8F286F335D452CB62
              Function 01926A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0ec9fa644c1ff4450d4d2ebfb490ddb1c28768a924782faf9871f39ef661a2b
              • Instruction ID: 09edf13ea73dbc869a84c0234dc51d81a494586384c83b675563206b7cb4491f
              • Opcode Fuzzy Hash: a0ec9fa644c1ff4450d4d2ebfb490ddb1c28768a924782faf9871f39ef661a2b
              • Instruction Fuzzy Hash: 0632B071A04215CFDB25DF68C480BAEBBF5FF88300F14896AE95AAB755D734E842CB50
              Function 01944A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: a616100f52a36a746f979ca1e6848a0b5ec3250ce09ec6b04764299017820d1d
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: 8FF18E71E0021A9BDF15DF99C590FAEBBF9BF48715F098129E949AB340E734E841CB60
              Function 019B892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e9563acaa9dfef970088d4b41ffab7c6e8c96cad85d4b7e998a8ec08abea45e
              • Instruction ID: e46aface4fa7820c23c4a6c5a25ea5e6d1c7779c4d876516e7d65e2491d5367d
              • Opcode Fuzzy Hash: 4e9563acaa9dfef970088d4b41ffab7c6e8c96cad85d4b7e998a8ec08abea45e
              • Instruction Fuzzy Hash: 86D12171E0061A9BDF05CF68C981AFEB7F9AF88305F18852AD859A7241D735E901CB60
              Function 019265D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d4122705257db3e46a2881068d2de967587abfd3fe5fc787cb8a52b5463e822
              • Instruction ID: e048fc7caad42d164272b7efa6d08d338792fd31298eae643b3b18ea765f3797
              • Opcode Fuzzy Hash: 7d4122705257db3e46a2881068d2de967587abfd3fe5fc787cb8a52b5463e822
              • Instruction Fuzzy Hash: 09E1BC75608352CFC715DF28C090A6ABBF4FF89304F048A6DE9998B755EB31E905CB92
              Function 01918397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57d82b15b030e4d8357b11ec248926dfdf170307b5d8a27236f050dfc815ed31
              • Instruction ID: 35b4961d4122b751d1f0ed33c4c0b7198eecb9a7cdbf6e829c423b4b60d2a5fd
              • Opcode Fuzzy Hash: 57d82b15b030e4d8357b11ec248926dfdf170307b5d8a27236f050dfc815ed31
              • Instruction Fuzzy Hash: 01D1F571A0020A9BDB14DF68C881FBA77B5FF94714F044A2DEA1EDB284EB34D991DB50
              Function 019A8243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 0ea713060cc372078130a7381afdd5f1468f0957e6c7f1c1468db83b10c9025b
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: 23B1B674A00605AFEF24DF58C940EBBBBB9FF84346F90445DAE4A97790DA34E909CB50
              Function 01930535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 7cd80d9b3b93891c36f958c50b83b678262aecd6fe6ac182f4f1f76c8727ac49
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 89B1F531604646AFDB16DB68C850FBEBBFAAFC4300F184599E55ED7281DB30E941CB90
              Function 019283C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f948f18b8b66b42cb5e03cbe6bc61e3e7e2dcbc83f8bbce26cd82ab56d41ad5
              • Instruction ID: fd801247ad1727cc8f41b0661ec8d0a55701a13a0bc157395c696dcdaf6afb33
              • Opcode Fuzzy Hash: 8f948f18b8b66b42cb5e03cbe6bc61e3e7e2dcbc83f8bbce26cd82ab56d41ad5
              • Instruction Fuzzy Hash: B8C168746083418FE764DF18C484BABB7E8FF88304F44496DE98987295E774EA09CF92
              Function 0191C427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c22c09823bee717b6cd29cf1d8904eadd0d5412a00b1c5754ea0e6d66edc5f92
              • Instruction ID: b1eab2b2b6072f1f182811f1ce70de062298f1353ad92b24148178cd07ae894e
              • Opcode Fuzzy Hash: c22c09823bee717b6cd29cf1d8904eadd0d5412a00b1c5754ea0e6d66edc5f92
              • Instruction Fuzzy Hash: F9B17F70A4426A8BDB25CF68C880BADB7F5EF84740F0485E9D50EE7285EB709DC5CB21
              Function 0194E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2904fda29ab1953c1f4bb7c260da3832fb24c05a456d37430885033392327efe
              • Instruction ID: 7b865e0b1f437c3079c0d032071cb3c2aec43a4bcbe45a03e2a5117e5ad5792f
              • Opcode Fuzzy Hash: 2904fda29ab1953c1f4bb7c260da3832fb24c05a456d37430885033392327efe
              • Instruction Fuzzy Hash: 0FA11931E006199FEB21DB5CC844FADBBB8BF41724F050165EA19AB2D1D7789D41CBD1
              Function 01960185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d222c948ffd121992620a5992e3aaa41fda1a2e4ca0ac480cee5c7d48d1bd3f6
              • Instruction ID: 1abeca6b0e0bc25f09f3cbd18beecac9f91d05b769d992c09a1b3c0e73e07bf1
              • Opcode Fuzzy Hash: d222c948ffd121992620a5992e3aaa41fda1a2e4ca0ac480cee5c7d48d1bd3f6
              • Instruction Fuzzy Hash: 55A1D170B016169BDB25CF69C9D0BBAB7B9FF54715F08402DEA4D97281EB34E811CBA0
              Function 019F4500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d3afe4c7603159703b1f44741b4e110fb0b5cf60e085cb0a81078e4df9edbd7
              • Instruction ID: a792171858ff7fe2d70ce701aa6b95549cd6cfa52c4803d3b976fb7ef5b91d15
              • Opcode Fuzzy Hash: 9d3afe4c7603159703b1f44741b4e110fb0b5cf60e085cb0a81078e4df9edbd7
              • Instruction Fuzzy Hash: 71A1BD72A04212AFD721DF18C980B6ABBE9FF88714F05092CE68DDB651D334E901CB92
              Function 019F2B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: c82bb93c1671768b62a92ad57b2672b747d62167201e9eaf59115ed7c94b28c0
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: C7B10B71E0061AEFDB15CF99C880BADB7B5FF88311F148169EA19A7354D730E945CB90
              Function 019A60E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ac5f90df34c11dd0fa353e74117b61b94a687a726779d9c2e9112a35d1339b8
              • Instruction ID: 8921513c790e8914a51e79d40a716ccdcafd98711f63efa171eef94c7708ff6c
              • Opcode Fuzzy Hash: 2ac5f90df34c11dd0fa353e74117b61b94a687a726779d9c2e9112a35d1339b8
              • Instruction Fuzzy Hash: 4B91C971D00216AFDB15CFA8D894B7EBFB5AF48710F594159E618EB340D734E9058BE0
              Function 0193E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2269cfbeb47aad815161d685691cd3dd9898f160d65bf46a70dcda05734196e8
              • Instruction ID: c7a4e4f00887b68627af48a48f43998568b513169e9f1b9557473b15d53814a9
              • Opcode Fuzzy Hash: 2269cfbeb47aad815161d685691cd3dd9898f160d65bf46a70dcda05734196e8
              • Instruction Fuzzy Hash: 00913632A00616DBEB24EB59C444B7EBBA6FFD8B15F054469E90DDB380E634DD01CB91
              Function 01976ACC Relevance: .2, Instructions: 226COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2781a7a74fa672fc579453d5838d10c4baf8d517ced5e980ad1d67f21ab321cc
              • Instruction ID: 3d9f2012d5e302b93d578a68fd10f4cf13fe839b2327339c55347185cb96683e
              • Opcode Fuzzy Hash: 2781a7a74fa672fc579453d5838d10c4baf8d517ced5e980ad1d67f21ab321cc
              • Instruction Fuzzy Hash: 48818271E006169BEB15CF69C980ABEBBF9FF48700F14852EE549E7640E334D940CBA4
              Function 019EAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: bc266bd00a2222c7d4f50d8ad0dd03d22bb8fad0831d1ffbd22df7a6390c087d
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: B581A531A002069FDF1ACF99C888AAEBBF6FFC4310F188569D91A9B354D774E951CB50
              Function 0195E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3c7123962f61ccd45db72f8f14aff97bfa4e823802ba7141a7dee8212e008c8
              • Instruction ID: bc86ddd4346d58b909e8f3099207f4723617ee889a60f14216188c651e3f201d
              • Opcode Fuzzy Hash: d3c7123962f61ccd45db72f8f14aff97bfa4e823802ba7141a7dee8212e008c8
              • Instruction Fuzzy Hash: 81817E71A00609EFDB65CFA9C880AEEFBB9FF88354F10442DE559A7250D731AD45CB60
              Function 0193C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 967dce11249a54b7b051c3c7561c314029c0a79231be010b268d41a7579ad8a6
              • Instruction ID: 7e8f9f541009b3568fa3b3f293573116c4ea454a24582028b5243c60d815a3a3
              • Opcode Fuzzy Hash: 967dce11249a54b7b051c3c7561c314029c0a79231be010b268d41a7579ad8a6
              • Instruction Fuzzy Hash: 2D71D079D04625DBCB26DF58C890BBEBBB5FF98711F14451BE94AAB350D370A801CBA0
              Function 019D47A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f0e6f13674d398e98601b12fbfffca954bc140c603aa7fc0828e66783296881
              • Instruction ID: f8150566322285d5eb5689992951852ecd65561134c8d371d3248abc5ce636c9
              • Opcode Fuzzy Hash: 5f0e6f13674d398e98601b12fbfffca954bc140c603aa7fc0828e66783296881
              • Instruction Fuzzy Hash: 5071BB70A00605EFDB20CF99DA44A9ABBFCFFA1341B05815AE60CEB658C7B1C945CF65
              Function 0193260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fb5fcb9f75c195a0470f7689b66617d2b90117cbddf6ff1f6f8f6a310366aa7
              • Instruction ID: 70738b47a675f8b377080141e848deaf44229471642a8bc9b466408bccba5798
              • Opcode Fuzzy Hash: 4fb5fcb9f75c195a0470f7689b66617d2b90117cbddf6ff1f6f8f6a310366aa7
              • Instruction Fuzzy Hash: BA71BF756046428FD312DF28C484B2AB7E9FFC4714F0485AAE89DCB356DB34E946CB91
              Function 019A035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 18396c3ea4185bb05564fad95901f47cf2b67fcb4b7154a094fccb13f94a129e
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 4F718E71E00619AFDB10DFA9C984EEEBBB9FF88700F144569E509E7250DB34EA05CB90
              Function 019B62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 663e922180371c8a4066b1cc81fd1b323fdc00307872ae4c37f299c9ff64b5a0
              • Instruction ID: 00e34f67e20bd838929b7483a3a48e5d9b9dd137801eed0f59a83175e271b8db
              • Opcode Fuzzy Hash: 663e922180371c8a4066b1cc81fd1b323fdc00307872ae4c37f299c9ff64b5a0
              • Instruction Fuzzy Hash: A271E632140B01AFE732DF18CA84F96BBBAEF84711F144818E65D872A0D779F944CB50
              Function 01928AA0 Relevance: .2, Instructions: 197COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e73648d01e2fe8daa6ef74cd42195d027372afdd6b7aaacdac223be01778cd1
              • Instruction ID: 72f9f66cc3f8d70d3064a52755585aafb288d4178301a761d65e829508da66b5
              • Opcode Fuzzy Hash: 9e73648d01e2fe8daa6ef74cd42195d027372afdd6b7aaacdac223be01778cd1
              • Instruction Fuzzy Hash: B681AD72A043168FDB28DF9CD484BADBBF9BF88711F15412DD908AB289C7349D41CB94
              Function 019F8324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c9727d02c28e497f470b40e64166cd94ab36de3e7a1b917d9d690412c4fb3f9
              • Instruction ID: 68dac63f3e28c937de9840c4ba88be9fcc9c2d926edc15d382882ecb3728a92d
              • Opcode Fuzzy Hash: 7c9727d02c28e497f470b40e64166cd94ab36de3e7a1b917d9d690412c4fb3f9
              • Instruction Fuzzy Hash: 12711A71E00209BFDF55DF94C845FEEBBB9FB44350F104169E618A7290D774AA45CBA0
              Function 019DA250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c1c029ed15a57b8c99bf47fc21545a99c6ad0363e909514874ff5680c06246f
              • Instruction ID: aa80348e6dfb4e83b91ceef1addadde772b4aeb6c6e92c0f03c0a01329b22cad
              • Opcode Fuzzy Hash: 4c1c029ed15a57b8c99bf47fc21545a99c6ad0363e909514874ff5680c06246f
              • Instruction Fuzzy Hash: FB51D272508712AFD711DE68C844E5BB7ECEBC9B50F018929BA48DB150D774ED14CBA2
              Function 019C8350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d6a3cb987b62ac34b40cb89f9099cdee2a7613d54bc469a71efc8f742da5bc7
              • Instruction ID: a9c173706a8e0657b5115ead689820577dbb17b05ebb1c24c55b75a611c05941
              • Opcode Fuzzy Hash: 4d6a3cb987b62ac34b40cb89f9099cdee2a7613d54bc469a71efc8f742da5bc7
              • Instruction Fuzzy Hash: 3551D470900705EFD731DF9AC884AABFBF8BF94B10F104A1ED29A576A0D7B0A545CB51
              Function 0195E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30cf005e8ce359e873f80e3030471b5a338d14f4610bd030ba6532a88bc7d632
              • Instruction ID: 6ccdd428c43a05f788d64d202fe50b54301bf40571ee3f63cdd0fca61d0c8471
              • Opcode Fuzzy Hash: 30cf005e8ce359e873f80e3030471b5a338d14f4610bd030ba6532a88bc7d632
              • Instruction Fuzzy Hash: 77519E71640A05DFCB22DF69C980EAAB7FDFF94744F40086DE90997260D735EA41CB51
              Function 019C4180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a18ef57da6724f8e119f43402e52aec46638fd2259788ad65b1d6c2a1c38c25d
              • Instruction ID: f52ce5a4fa1be723d31edffd533f96bec3ff67dcd3e2d70615d270fe930ac11c
              • Opcode Fuzzy Hash: a18ef57da6724f8e119f43402e52aec46638fd2259788ad65b1d6c2a1c38c25d
              • Instruction Fuzzy Hash: FD5167716083029FD754DF29C991A6BBBE9BFC8A04F44492DF589C7250EB30D905CBA2
              Function 019445B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 715c5d6100d6708051723a096ee6b139cb500dda325bf3a6f6e476f3c231f566
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 44518F71E0021AABDF25DF98C440FEEBBB9AF45754F044069EA09AB250D734DD45CBA0
              Function 019AE9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: dc9f056382280dc990e64bd5ff91cc6863f85091ebd136eb68e288d9b5245a3d
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: 3F51D431D0021AEFEF21DB95C898FAEBB78AF40325F514665D91A67290D7309E488BF0
              Function 019E8B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52cb85abc1da044591743880bd90969c9e6d234b3650cd3e39ee924e6d2ffc31
              • Instruction ID: 8bf26cdf3dcb85492fe4fc7539ce0a0aa6329846df8612b62a9353d3c82a35a1
              • Opcode Fuzzy Hash: 52cb85abc1da044591743880bd90969c9e6d234b3650cd3e39ee924e6d2ffc31
              • Instruction Fuzzy Hash: F341F870B01601ABDB27DBADC95CB3BBBDEEFD1221F088518E91D8B280D730D811C691
              Function 019ACBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 35c4fb13ed45824b3e712ad0f076f857a2d50052cf2ed758c63241d0eff5e9f4
              • Instruction ID: a6b820e2822f2a91c8f08dc6002ed5e9c5ed93c634ce209bee4ce0dab28b4689
              • Opcode Fuzzy Hash: 35c4fb13ed45824b3e712ad0f076f857a2d50052cf2ed758c63241d0eff5e9f4
              • Instruction Fuzzy Hash: E4518B76D0021ADFCB20DFA9C8809AEBBF9FB88214B914919D51DAB304D770AD06CBD0
              Function 0195A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52d5b8c58aff5a722c9af771f3454f28d588baf2dd9ca6b2c353707f250ff546
              • Instruction ID: 1f42aaa3162413b830bbda851233dd674f642635a6069b13f8f3217643e5ef9d
              • Opcode Fuzzy Hash: 52d5b8c58aff5a722c9af771f3454f28d588baf2dd9ca6b2c353707f250ff546
              • Instruction Fuzzy Hash: 25412B356403029BDF65EF6D9891FAF3B6DEB98708F01052DED0EAB241D7B19801C7A8
              Function 019EA9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: 58bad2832f290bd332c758a27bbb9cf34ab43dd488a201601b9a4a7020a268df
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: F541FA716047169FDB26CF58C988A6BB7EAFFD0211B05462EE91A87250EB30FD18C7D0
              Function 019501F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d6e67377ff2fd02778b37557554ab94f61b513c6cf8273ec3191d433b353cd0
              • Instruction ID: 12309be756ff21f0032cd77ab9397c797bdb51f311a361e9c72bbdda05045bd7
              • Opcode Fuzzy Hash: 2d6e67377ff2fd02778b37557554ab94f61b513c6cf8273ec3191d433b353cd0
              • Instruction Fuzzy Hash: 7D419A3690021A9BDB54DF98C440AEEBBB8BF88710F18816AFD19F7350E7359D41CBA4
              Function 0194EBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71798ba38ced5a71335053bddd1bdba53c4e0b2eb60b35f6d6b3cee721187be7
              • Instruction ID: 6990794d6036def67c3f65da40a786f4c118f8fcfbbba257098fe5226ce922d4
              • Opcode Fuzzy Hash: 71798ba38ced5a71335053bddd1bdba53c4e0b2eb60b35f6d6b3cee721187be7
              • Instruction Fuzzy Hash: 2B41A172A043029FD725EF28C884E2BB7E9FF88315F004929EA5EC7651EB35E845CB55
              Function 01962750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: f38a5fb0f1a1e9ca29f9c4af6c760191a27dafc293bb894948e3a38439c8c3cc
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: F7515B75A00615CFCB15CF9DC580AAEF7B6FF84710F2881A9D919AB351D770AE42CB90
              Function 01926154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f98fde2ef179b30797f61401c82e4e8295640cbff3223c00b8b7429cd8d7e6d
              • Instruction ID: c9026e0a04d0134adf73f0a95843ef3a6f0fcd1596cdf79054d20c8ef56e5d79
              • Opcode Fuzzy Hash: 0f98fde2ef179b30797f61401c82e4e8295640cbff3223c00b8b7429cd8d7e6d
              • Instruction Fuzzy Hash: 4D511970900226DBDB26DB28CC00BA8BBB5FF52314F1882A5D92DE76D5D774A981CF80
              Function 01920BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92fb909d488bd8ab696be69af02bb926346b73da9b8b2a56ad573317000131be
              • Instruction ID: f0de2bb9b3bf6f0873129eaa70cb0d6e10fc92ca5c0b114a063b1ba4c52bb5dc
              • Opcode Fuzzy Hash: 92fb909d488bd8ab696be69af02bb926346b73da9b8b2a56ad573317000131be
              • Instruction Fuzzy Hash: 37418E75E402299BDB21EF68C944FEA77B8BF99740F0500A5E90CAB241D7749E80CF91
              Function 019E866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: b75239d4b6d48669ecd49339807d0405f2629a8ec510c00246feb9d22b1cb84f
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: EB417475B10106ABDB16DBD9CC88AAFBBFEAF88651F144069E908A7341D671DD018B60
              Function 01920887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6553e7cfc237ae3f2197a0767ae439fd4937d615b7a67c41386b12cc3bfcb6d1
              • Instruction ID: 08ee81e158223115d6fe6d9147deaa2207c965dfd6d52e216432ee0a2aa65138
              • Opcode Fuzzy Hash: 6553e7cfc237ae3f2197a0767ae439fd4937d615b7a67c41386b12cc3bfcb6d1
              • Instruction Fuzzy Hash: 0E41DEB56007169FE325CF28C480A26BBF9FF89314B188A6DE54F87A54E731E845CB90
              Function 0194A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d655eb7817473ea5cbc222433ee69f382edfcbba70a5c60f91e7e8283ec90171
              • Instruction ID: 9aee2e1a412ad77cd72499c7f4d326cfaf1213b143586f973795efd2f1739d62
              • Opcode Fuzzy Hash: d655eb7817473ea5cbc222433ee69f382edfcbba70a5c60f91e7e8283ec90171
              • Instruction Fuzzy Hash: 4F41FE36A80205CFDB21DF6CC994FED7BB4FB58B21F084569D41AAB380DB349901CBA0
              Function 01928BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e66bdd26bfd68f4d168a15281fb921df8fd8c466c58e2fc1e812e8497bd473c0
              • Instruction ID: 954e18dd78572c58d497f4eef5a82f00f94fb145bf723606ac8f1cc28ee8c388
              • Opcode Fuzzy Hash: e66bdd26bfd68f4d168a15281fb921df8fd8c466c58e2fc1e812e8497bd473c0
              • Instruction Fuzzy Hash: D541F376A00212DBD729DF5CC880A6ABBF6FFD8B14F15812AD9099B359C735D842CB90
              Function 01918918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3dd4bbee0d35d6096580249d31600f893324ddad63b0440d62323d70ed8b446
              • Instruction ID: 3943369567e375a02fd7cf14f496586e44ad42f2b5337488512096bb013d749b
              • Opcode Fuzzy Hash: b3dd4bbee0d35d6096580249d31600f893324ddad63b0440d62323d70ed8b446
              • Instruction Fuzzy Hash: 3F415C3550874A9FD312DF69C840E6BF7E9AF84B54F40092AF988D7250E730DE458BA3
              Function 0191A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 042266078f01d427f22606362d6e3a60200a8c75766e88bd45e8a44f69f15bc4
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: CF419131A01259DFDB11FE2D8450BBABB75EF91B52F15806AE94E8B248D6378DC0C790
              Function 019209AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fad5598440f596735e4f6b25e8bc9f1e655cd96e10afe3cae31a6ac02b64acb2
              • Instruction ID: 2c50ba6bc53e51e8c518f5334e258dee3feb7bd222848d3864c7acf4382f48ec
              • Opcode Fuzzy Hash: fad5598440f596735e4f6b25e8bc9f1e655cd96e10afe3cae31a6ac02b64acb2
              • Instruction Fuzzy Hash: A1417A71A00611EFD721DF18C840B26BBF8FF98315F688A6AE44DCB255E770E942CB90
              Function 01950710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 69804cc815621d9b301ee5f329749f3cff683c918301b5d9de1bc7eb215f7f3e
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: 80411971A00605EFDB65CF98C980EAABBF8FF58700B14496DEA5AE7650D330EA44CF50
              Function 0192262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db9777beb2c400fdc56631630d0735661800170cc080870e153af71c8fc4df6b
              • Instruction ID: 9f4dc83b832f0358ff6fbda4977163e7e5f9e2ca303cb0ec319d215b113b2921
              • Opcode Fuzzy Hash: db9777beb2c400fdc56631630d0735661800170cc080870e153af71c8fc4df6b
              • Instruction Fuzzy Hash: 5741D271505715CFCB22EF28C900B69B7F9FF94311F1486AAC81E9B2A9EB70A941CF51
              Function 0195C8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 703c6cd1eec5a651035c15d0a0b73f0edd783c3d03c24bc6d167aef09c0e2e7e
              • Instruction ID: ee397afbf28779361caaffcd37805e53f611e92512b14f2c8a65e5e3882c1592
              • Opcode Fuzzy Hash: 703c6cd1eec5a651035c15d0a0b73f0edd783c3d03c24bc6d167aef09c0e2e7e
              • Instruction Fuzzy Hash: 45317AB1A00345DFDB51CFA8C440B99BBF4FF49715F2185AED519EB251D332A902CB90
              Function 019A07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9208d7ea6ea3cfcfacd54f99c46af6dc55ce254db2d17c99f910a5e05b28486
              • Instruction ID: c18687ef227c980b8cd8a69797676786e0bfdfa72111e23e4393497992f0ae22
              • Opcode Fuzzy Hash: c9208d7ea6ea3cfcfacd54f99c46af6dc55ce254db2d17c99f910a5e05b28486
              • Instruction Fuzzy Hash: 134179729083019BD361DF29C845B9BBBE8FF88764F404A2EF99CD7291D7709905CB92
              Function 019180A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c80d16a577a0b1e778e0b6a50bb548e6ad0f8f689776ba8037b0c03d7141011
              • Instruction ID: d34bfd5303442d4a2f59c65bc2c225f345be4a649284b031feb8f18a18f7448a
              • Opcode Fuzzy Hash: 7c80d16a577a0b1e778e0b6a50bb548e6ad0f8f689776ba8037b0c03d7141011
              • Instruction Fuzzy Hash: A741F672E0451AAFDB01DF58C980AA8B7B5FF54760F148629D81EA7284D734ED819BD0
              Function 019A05A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38444fd3e113f5a9dcf790c38fc8da2f92bf8b3e0037513176ab8c343b763c8d
              • Instruction ID: 743c576c4e9f92e6235ff8408dd3636be8435dc26fff5e2b4265eb98318a9f03
              • Opcode Fuzzy Hash: 38444fd3e113f5a9dcf790c38fc8da2f92bf8b3e0037513176ab8c343b763c8d
              • Instruction Fuzzy Hash: D741C3726047429FD320DF68C840A6AB7E9FFC8704F580619F999D7680E730E918C7A6
              Function 01924859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d1be2c8fd9354d9955cc679b5d309d823e7759ae0af8211aaa40a40bcaac8e8
              • Instruction ID: 1e07211787ef4e77c1ac93713d328237257be385c5c2b9ab5344bf2e50a6f68d
              • Opcode Fuzzy Hash: 7d1be2c8fd9354d9955cc679b5d309d823e7759ae0af8211aaa40a40bcaac8e8
              • Instruction Fuzzy Hash: 8241F1343003228BD725DF28D884B2ABBEDEFC0B51F14482DEA4D8B299DB70D901CB91
              Function 01918B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d614dedfa79e0f39131819174b7cb5cce6da18561f19904f6845fcd738315b2d
              • Instruction ID: 76d7bdd9bab47edc823a29b8e9b1a210f70550c831c4b98b37911a43a5343831
              • Opcode Fuzzy Hash: d614dedfa79e0f39131819174b7cb5cce6da18561f19904f6845fcd738315b2d
              • Instruction Fuzzy Hash: FE41A1B1E01609CFCB15DF69C98099DBBF5FF88320F20862ED46EA7264D734A981DB40
              Function 019302E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: ce7f56665fec02371b50299996ae9aa8d9cadafeda2e6e21529b721c290648e9
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: BD312731A04245AFDB129B68CC80BEBBFECAF94750F0845A5F45DD7356D2749844CBA1
              Function 019CE3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 109bbbdca06a4df43095056ec5c2636b730d7da068619efaaa47cf94da94933f
              • Instruction ID: 20b870c7bf0a5231211ba19a98d2f0dc5d822acbae13162c199670de59e7b4c7
              • Opcode Fuzzy Hash: 109bbbdca06a4df43095056ec5c2636b730d7da068619efaaa47cf94da94933f
              • Instruction Fuzzy Hash: 5131BC35750716ABD722EF558C41F6BBAB8AB99F50F100028F609AB3D1DA64DD00C7A1
              Function 019D4B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0294e44a10bda596d748e956862731018ad05d0214035d41165b912146550d2
              • Instruction ID: 42b7fcf8502192ffd9c4cff0318f6fecd2a791686be2d1e859b156ed5094125e
              • Opcode Fuzzy Hash: e0294e44a10bda596d748e956862731018ad05d0214035d41165b912146550d2
              • Instruction Fuzzy Hash: DC3102326052018FC721DF2DD880E6AB7E9FB81360F0A846EE99D9BA51D730E805CF81
              Function 01924260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1f827aeeac2ee15de1ea8697e8cd2dd7e1edce34e765a6b23d23bbe978cf7ca
              • Instruction ID: ec9b2f930f64278f49949cc7f1fc8d8a6a5093c12f83e778a941d195cd50cbd5
              • Opcode Fuzzy Hash: b1f827aeeac2ee15de1ea8697e8cd2dd7e1edce34e765a6b23d23bbe978cf7ca
              • Instruction Fuzzy Hash: CC41AC31200B45DFD726DF28C995FD67BE9BB89314F05882DE69E8B250D7B4E804CBA0
              Function 019D4BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 326bc1a6f90aad0c72004df9d564f1e1e76b5e879001a0f6eb25ef4423753dc8
              • Instruction ID: ce162b91ec0f489a0093739ecf55b5c86949e6b1055c33142e050d2a141f37f0
              • Opcode Fuzzy Hash: 326bc1a6f90aad0c72004df9d564f1e1e76b5e879001a0f6eb25ef4423753dc8
              • Instruction Fuzzy Hash: C5317E71A052019FD724DF28C880E6AB7E9FB84710F09896DE95DDBA91E730E905CB92
              Function 0199EB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29cf81342f84a5e55c01a2f844d0f41a8433336c97a57d6a74db8ef9c65d85e3
              • Instruction ID: cb0302a381f42819ec38df392e5273f1ca3c9de0060fd9531e0890e6ef70b1a7
              • Opcode Fuzzy Hash: 29cf81342f84a5e55c01a2f844d0f41a8433336c97a57d6a74db8ef9c65d85e3
              • Instruction Fuzzy Hash: 1331C4316416C29BFB22D75EC948F257BDCBB84745F1D04A0AB8D9B6D1EB28D840C224
              Function 019E61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d713514495299b8f51b0cc1d2231da2e4695f22f058af06d3c46f38290a0013e
              • Instruction ID: 2f4c116548ed55cdc8dbf5e1504d6e39216a81c36aaa74ef0dd8862318d41165
              • Opcode Fuzzy Hash: d713514495299b8f51b0cc1d2231da2e4695f22f058af06d3c46f38290a0013e
              • Instruction Fuzzy Hash: 2331B275A0011AEBDB16DF98C844BAEB7F9EB88740F454168E908EB344D770ED01CBA4
              Function 019C483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15cd575593bbc2f43fb9c481ae5f89c36606d8d98eb795758ec33ad039b7e03f
              • Instruction ID: c523255f927cec06d038b217d39cb51a778963a110ab526ddec06e7ee922a36b
              • Opcode Fuzzy Hash: 15cd575593bbc2f43fb9c481ae5f89c36606d8d98eb795758ec33ad039b7e03f
              • Instruction Fuzzy Hash: 86316376A4012DABCF21DF54DC94BDEBBF9AB98750F1000A5E54CA7250CA30DE91CFA1
              Function 0194EB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd9f8d7f9187de434ad07774d4f4dd60f0d165f3b4016e7ad95f547e0b1b7d7a
              • Instruction ID: 28ea6cf62c4ea7bd965bfabcdbd5d6b2a6376577d2c05faaf0acf48c95489d9b
              • Opcode Fuzzy Hash: dd9f8d7f9187de434ad07774d4f4dd60f0d165f3b4016e7ad95f547e0b1b7d7a
              • Instruction Fuzzy Hash: F331B572E00219AFDB21DFAACC40EAEBBF8FF44750F114425E51AE7250D3749E008BA0
              Function 019E60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b328e35f1b6a677229330513fc3d70fe4f4e1fff446a1838772ba1b6b3c3dfd5
              • Instruction ID: 81e9799cca2496362800ce05d8d28ad6d377d615630c015ed1247c11d6c78a54
              • Opcode Fuzzy Hash: b328e35f1b6a677229330513fc3d70fe4f4e1fff446a1838772ba1b6b3c3dfd5
              • Instruction Fuzzy Hash: FF310871A40216EFDB139F99C850B6EB7F9BF94315F00006DE509DB342DA70DD008790
              Function 019207AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 960829c9ee9444edf359d4af1247795b4b5b88a75900026cbf5ff037f77f228c
              • Instruction ID: 238d679c33cbe16836f3cbddf09c5387f8ad3c1f132f3cf9268d3d4c22d8d38c
              • Opcode Fuzzy Hash: 960829c9ee9444edf359d4af1247795b4b5b88a75900026cbf5ff037f77f228c
              • Instruction Fuzzy Hash: 83312776E04326DBC712DE288880E6BBBB5AFD4250F0A4928FC5D97318DA71DC0187E2
              Function 01928550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9c50540b88ba37591344880d807a4b069853b8523732cca9e40a37037e1d050
              • Instruction ID: 2523da99727b71768b2f8f45a5d21a8835a98f06a0b6bfc2d1f9f4de858c0a8a
              • Opcode Fuzzy Hash: e9c50540b88ba37591344880d807a4b069853b8523732cca9e40a37037e1d050
              • Instruction Fuzzy Hash: EF31AB726093119FE721DF19C840F2BBBE9FB88700F1449AEE9889B395D770E844CB91
              Function 0195A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 535bacca0c28c84595a258e1ed3ff2c1f96a685dfcdc469b98aa43e60f901456
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 64312BB2B00B01AFD761CF6EDD40B57BBF8BB48A50F04092DA99ED3650E630E900CB64
              Function 019CEBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7732d93b184c6bdc6caa714e6edff064d20f7d434c8123a1d1dd04c2759eb342
              • Instruction ID: 27b15368cd8670851ddae34401f1dce31c9d476f4caab83e952dab94f7b9df2b
              • Opcode Fuzzy Hash: 7732d93b184c6bdc6caa714e6edff064d20f7d434c8123a1d1dd04c2759eb342
              • Instruction Fuzzy Hash: 2231A9719493019FCB11DF19C54085ABFF5FF89A18F4849AEE48D9B251D330DA45CB92
              Function 0194438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4c93ec35c93bdb0728b1633beab2162f8d7e1e2c044bccca27214a20261bfe1
              • Instruction ID: c6ce87f71df73ffe626dc8324b65139d3cb39040d7a3fb97c7f4aca3d29b8b3f
              • Opcode Fuzzy Hash: d4c93ec35c93bdb0728b1633beab2162f8d7e1e2c044bccca27214a20261bfe1
              • Instruction Fuzzy Hash: 2D31D431B002069FD724EFA9C981F6EBBF9BB84704F048529D54ED7254E730E946CB91
              Function 0191CB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: 4d76bc0a713e2ae99760f366ca7ec2a5e04d34d9770f89cbb76fc613aa9c130b
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: A4210636E4125AAADB11DFB98801BAFBBB9AF54740F098435AE19E7340E274DD40C7A0
              Function 0191C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10d7046e0c9897747b6c45b6556bed5f8aa5ace2240c296defa4b967b256ecd6
              • Instruction ID: c6ffbc6e8b4927afa3f1370b12d21768eb7cdfb6d4e55819f91a58fac02160af
              • Opcode Fuzzy Hash: 10d7046e0c9897747b6c45b6556bed5f8aa5ace2240c296defa4b967b256ecd6
              • Instruction Fuzzy Hash: E2313BB15002119BD721AF58CC41BA9B7F8AFD0314F5485A9D98D9B386EA74E982CBA0
              Function 019DC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 70621f49fea9b2b33dd671934249cbb9d813678653c9fc01b1276820c7fd3cbe
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 29210D3A600656B6CB15AB958C00ABBBBB9EFD0B11F40C41EFA9D87691E634D950C760
              Function 0191E420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60ca8214ae5eb976a6ef12be126e9e4df35bd778ff45627ac1c0d66cf0bd030d
              • Instruction ID: 657b05aa8342d2f4f40f40c39e46f8c8b07662249a906bc1710b7a5fe0875725
              • Opcode Fuzzy Hash: 60ca8214ae5eb976a6ef12be126e9e4df35bd778ff45627ac1c0d66cf0bd030d
              • Instruction Fuzzy Hash: 6D31D631A4012C9BDB32DB18CC41FEEB7B9AB55B50F0104A1EA49A7294D6749EC08FA0
              Function 01954588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 8e832de01d227571ccc2c0b60a7bdb89bdfcfc609b8183630cabed3e73d60bae
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 08219435A01609EFCB91CF58C584A8EBBF9FF48314F508065EE19AB241E670EA458B60
              Function 019544B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd6c4ff2551abcac3393651c6545e70a49045a7762776f31367641667727f9e8
              • Instruction ID: e1e181c73abb3f74a2173e2739ec2a0ba99e551a06fecf0f15b0eb2aca6b348d
              • Opcode Fuzzy Hash: cd6c4ff2551abcac3393651c6545e70a49045a7762776f31367641667727f9e8
              • Instruction Fuzzy Hash: F621C3726047459BCB62CF18C840F6B77E8FB88765F004929FD5DAB641E730E9428BA2
              Function 0191E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 613acc014886445c5728bb5af420273806d1c62c31d0c42da4def3e6e770a264
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: B1316D31600609AFD712CB68C884F6AB7F9EF85754F1449A9E95ACB294E730EE42CB50
              Function 0199E609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39035663a39e4bd942f0765265d0fde7f5e831a5d483d823e699a44f1b52e922
              • Instruction ID: 6d587db1d40fe3daa0d831be99f0df5782af988277348dbee6138cf3291f1c07
              • Opcode Fuzzy Hash: 39035663a39e4bd942f0765265d0fde7f5e831a5d483d823e699a44f1b52e922
              • Instruction Fuzzy Hash: 8D316B79A00206DFCB15CF1CC8849AEB7B9FF84304B154559E8099B391E771EA50CB90
              Function 019A06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b82241ffd691114c8abc200ec7fb285df22c4527390c7f6334aae5abc7409b7
              • Instruction ID: 65ee69bd4ff00b799eec5508729a664cac06defb4fc8d150c60f55c3b1369740
              • Opcode Fuzzy Hash: 8b82241ffd691114c8abc200ec7fb285df22c4527390c7f6334aae5abc7409b7
              • Instruction Fuzzy Hash: 77219175900229ABCF25DF59C881ABEBBF8FF88740B550069F945A7250D738AD42CBA1
              Function 019A019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32a3e076ffba5c83c08f51989f9cbcada090cb0ec545158d5c1a4b267dc15be5
              • Instruction ID: a32821b504c604366b9eef5f30f7eeb239b8e2c36d7cf09f2e764467e9974032
              • Opcode Fuzzy Hash: 32a3e076ffba5c83c08f51989f9cbcada090cb0ec545158d5c1a4b267dc15be5
              • Instruction Fuzzy Hash: D321AE71A00645BFD715DB6DD844F6AB7B8FF88740F180069F908D76A0D638ED40CBA4
              Function 019A0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d98552b7b88589c0d9130be8ade785cf46352f8ab7769708d91af83a2c4b46
              • Instruction ID: 38a549dcfd98435a907f970172cc1218828ccea127313720c717e7d1f48d8286
              • Opcode Fuzzy Hash: a3d98552b7b88589c0d9130be8ade785cf46352f8ab7769708d91af83a2c4b46
              • Instruction Fuzzy Hash: A521BD729443469FD711EF5AD848F6BBBDCAFE0240F0C4456BD98C7251DA34DA08C6A2
              Function 01942835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd0f962904e60e999423a5575d16342c609fd2719f1afc0c5285c436e8de3a57
              • Instruction ID: 97c392180648094ea5aaa1e6f245ddaaaa2fd21d503192438fef3b28dc012807
              • Opcode Fuzzy Hash: dd0f962904e60e999423a5575d16342c609fd2719f1afc0c5285c436e8de3a57
              • Instruction Fuzzy Hash: 7C21D7316456819BF322AB6D9C48F287BD8BF81775F180361FA28DB7E2D76CC841C241
              Function 0195A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fa95392537c2917aa0ae19b2326aca000bddab0a0465dde9281426954ad9652
              • Instruction ID: 150e9732bc2ca27529e69bdffe019b37dd4b16c2983dacb8440de079669863dd
              • Opcode Fuzzy Hash: 8fa95392537c2917aa0ae19b2326aca000bddab0a0465dde9281426954ad9652
              • Instruction Fuzzy Hash: F121AC752406019FCB25DF29C800B4677F5BF88708F148468A90DCB762E775E842CB98
              Function 019DA49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b45847ab37963d9192e0cf8d8fbbb6f9efede2f3716a6d130c7093ef6fad83c8
              • Instruction ID: 97540537c66f8ffa60394cbe805c8e0448b5d26cdd8d43fcaca52a1cb64a2701
              • Opcode Fuzzy Hash: b45847ab37963d9192e0cf8d8fbbb6f9efede2f3716a6d130c7093ef6fad83c8
              • Instruction Fuzzy Hash: FB112972380A15BFE72256999C01F2B769DDBD9B60F918428F70CDB290EB70EC118795
              Function 019A0946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eabb6e27d8c6f5f0635e93fd5a19faf3fd65cada6d844f807027435b7642ee5b
              • Instruction ID: eee951612284a540022fd28a40960ae1b0c778057e8d93c2b8040c282de4a955
              • Opcode Fuzzy Hash: eabb6e27d8c6f5f0635e93fd5a19faf3fd65cada6d844f807027435b7642ee5b
              • Instruction Fuzzy Hash: 8321E9B5E00219ABCB14DFAAD8859AEFBF8FF98710F10012EE409A7254D6749945CBA4
              Function 019B80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: ae48d246dd7faa0a1c77024584b6d3b9de25e4dd2dff27bb06601a4c46ae386c
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: E3216A72A0020AAFDB129F98CD80BEEBBB9FF88310F244859F908A7251D734D9508B50
              Function 01950124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: ed742fba6897d65c6db02ee2f58370311c4d7f70fec67b853fa84c102510a6ee
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 5C11EF72600609BFE722DB48CC80F9ABBBCFB80754F140029FA09AB190E671ED44CB61
              Function 01928770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b16c83bb06826d4f5fb26e09091d30faa4b3ea9d1c2f24e668da4c4730b1e09
              • Instruction ID: 5606557982059c1970ac52eb2966e9376c9f150c9ba3e2e877db65cbaeaf5ee1
              • Opcode Fuzzy Hash: 5b16c83bb06826d4f5fb26e09091d30faa4b3ea9d1c2f24e668da4c4730b1e09
              • Instruction Fuzzy Hash: 0A118F357016319BDB11CF4DC5C0A66BBEDAF9A751B19806DEE0CDF209D6B2E9018790
              Function 0195AAEE Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction ID: 8a2d72915d397c7b5382c18d6da4b68301a6e9e3a40646d56e60f0643b391cc4
              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction Fuzzy Hash: 9321AC72600601DFD775CF49C540E66BBEAEB98B11F108A3DE94DA7610D730EC00CB84
              Function 019280E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72fdc37887f8c9793f11d06b24ba9c049b293a12c3394e79d56d19b249cf1078
              • Instruction ID: 7e97d6aa345c677a515ff55b783640141d45f3529a59aa1c69ce1c8e4423ab77
              • Opcode Fuzzy Hash: 72fdc37887f8c9793f11d06b24ba9c049b293a12c3394e79d56d19b249cf1078
              • Instruction Fuzzy Hash: DB217C35A00205DFCB14CF58C580A6ABBF5FB88314F30456DD109A7395C771AD06CB90
              Function 0195674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81c22c1d1f44b4fafc9f2c319aa5eb532ff06850aa97e6a5f1cca15fe82f087f
              • Instruction ID: f5c264e38e49037b73e1df0493021a42c97ba23889b04cbad6f4a9bb5360bc8a
              • Opcode Fuzzy Hash: 81c22c1d1f44b4fafc9f2c319aa5eb532ff06850aa97e6a5f1cca15fe82f087f
              • Instruction Fuzzy Hash: F9216A75600B01EFD761CF68C881F66B7E8FB84350F84882DE9AED7650DA70A840CB60
              Function 0194E8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee3b6c521c8dd3eef32a2dde4b48826dd31d96a7ab00bdda87646d1fb82f423d
              • Instruction ID: b57c95af8066c0544e96e49d962bbd37396a0cba2c34f50f477ac1d5c4de15ce
              • Opcode Fuzzy Hash: ee3b6c521c8dd3eef32a2dde4b48826dd31d96a7ab00bdda87646d1fb82f423d
              • Instruction Fuzzy Hash: 23112B377041149FCB19DB29CC85E6B725AEFD5374B254929D92ECB290EA30DC02C390
              Function 019B6870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78c312e1c9f1a6d47bbde3dbb55270269290593095d4073cbb5c8a2acb143a83
              • Instruction ID: 7f0e520f56f1d3fd01163972d7a5707b3fa607330c53834a435b19c9b8612567
              • Opcode Fuzzy Hash: 78c312e1c9f1a6d47bbde3dbb55270269290593095d4073cbb5c8a2acb143a83
              • Instruction Fuzzy Hash: F911A332240514EFD722DF9DCA80FDA77A8EF99B51F114029F649DB261DA70F901C7A0
              Function 019566B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1cd0c67bcf5342248d3b1c5cd1d2a76a9f5d8123afb731115f2976c17785b77e
              • Instruction ID: fddc874d1f151d660274f91ca36b519d7a5f6c221d3da1724c43c54f411a8be7
              • Opcode Fuzzy Hash: 1cd0c67bcf5342248d3b1c5cd1d2a76a9f5d8123afb731115f2976c17785b77e
              • Instruction Fuzzy Hash: 5F11BC76A013059BCB65CF59C580E5ABBE8AB84610B414079DD0DEB310E670DE00CBA4
              Function 019EA8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 8575be2335fa778c0b0089dbd0748d631f7d235152802c748581164bf3c80586
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: E2110436A00905AFDB1ACB58CC09B9DBBF5EFC4210F058269E85997350E671FE11CB90
              Function 01920AD0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction ID: 6bd84f4ff92ecc668a9eeda74b7d8aa8c05e68d2bb73a139bf658127006e1494
              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction Fuzzy Hash: 4421F4B5A00B059FD7B0CF29C440B52BBF4FB48B10F10492AE98AC7B50E371E814CB90
              Function 019AE7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: 7fb9ffdc7160bc8d367e086a2fbd08ff36589a1d6d1cbf5d1b4ef3dfe1364a48
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: 8C11A032600601EFE7219F4CC840F56BBB9EF85755F458428EA0D9B160DB31DD48DBE1
              Function 019427ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 449f0756129ff8826a2d2ceb17ba79c8d17bc96ec0e74ac6e856a3376365fa73
              • Instruction ID: f1bdf0720250fb2dcfd2a1fae6fcfef9d45672d8cff9fdb47d799f0079a7a359
              • Opcode Fuzzy Hash: 449f0756129ff8826a2d2ceb17ba79c8d17bc96ec0e74ac6e856a3376365fa73
              • Instruction Fuzzy Hash: 7F01D631645645ABF316A76EE888F2B7B9CFFC0395F050465F90CCB251D954DC00C2B2
              Function 01924690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b3cd80c105aa60710b909b60991a4544189c088d292686be9b6d73b2cd7bdbb
              • Instruction ID: e6fff8a73847a915ddf81f6e0b04e38a14e91263a183cd97b51708e6170ea491
              • Opcode Fuzzy Hash: 9b3cd80c105aa60710b909b60991a4544189c088d292686be9b6d73b2cd7bdbb
              • Instruction Fuzzy Hash: BC110E36201664AFDB25CF5AC884F167BACEB86B65F004529FA2C8B254C370E800CF60
              Function 019F4B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a997c8907e09583b3865c50da38c803bfa316efbc5ee4540c8d6460f334db78c
              • Instruction ID: 73ec4563271c6a125c596155f96e4f8d48f11fd90ea333d105fe27cabbf6d61b
              • Opcode Fuzzy Hash: a997c8907e09583b3865c50da38c803bfa316efbc5ee4540c8d6460f334db78c
              • Instruction Fuzzy Hash: 3D112536200605AFD722DA29D844F2BB7AAFFC4313F14442DEB4AC7291DA30E802CB90
              Function 01956620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbd69ede33d1ecd82b8021e94c00431d932069b962126bd5ba57eec1db55febd
              • Instruction ID: 7e08c113668fc17df3125827bf74d8aadefc886fceab6ce1148f28885de98f08
              • Opcode Fuzzy Hash: dbd69ede33d1ecd82b8021e94c00431d932069b962126bd5ba57eec1db55febd
              • Instruction Fuzzy Hash: 9911C272A02615EBDB21EF59C980B5EFBBCEF84741F910058DE08B7200D730AD018B60
              Function 0194EA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c565127eaa1fe11a7ccc14595ea98624203cb55fc918c9b5e9e03edd1de8000a
              • Instruction ID: 1fa3c0469833842460850f48511ad412ee703f0393049602542ee78cc2d36dac
              • Opcode Fuzzy Hash: c565127eaa1fe11a7ccc14595ea98624203cb55fc918c9b5e9e03edd1de8000a
              • Instruction Fuzzy Hash: 1801D4759001099FC725DF19D444F26BBF9FBD6314F64816AE1098B264D7B4EC46CB90
              Function 0194E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 52dcba763bbe91057de03f2d39d9981fc7d7f2bfb592186ed9f748f0a0b28fc0
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: 5011E5722016C69BEB23A72DD948F257BD8FB80755F1914E0DE4DC7642F32CC842C290
              Function 019AE75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: 6f2ab6da2839785e8f92867f3095e303706ba7704b1e1d69de0e220e30f3a9d7
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: 7A019E32600216AFE7219F58C840F5ABEADEBC5B56F458424EA0D9B260E771DD48CBD0
              Function 0191A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: a6b41ef9d835494943d6c1fb34d0db2bdf0ec1125c4d156073104f0627f84170
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 0D0126714067699BCB318F19D840AB27BA8EF95761B008D2DFCAD8B285C335D840CB60
              Function 019F4940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b77dedb341f4dbb4e474460d9f420169c2ec66e077244a012f986c0b58854375
              • Instruction ID: d5ede6fd9e8639da09f257082e9a93cee034cbb57394560a90aeb0b187cde788
              • Opcode Fuzzy Hash: b77dedb341f4dbb4e474460d9f420169c2ec66e077244a012f986c0b58854375
              • Instruction Fuzzy Hash: AE010432641101ABC3229F1CC800E13B7ACEB81B71B154219EA6C9B192E630D881C780
              Function 0199E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe8dfbd6a1facd0eaf8e9e3a58657dce574a7711dd20f3742aca84971c9e49e8
              • Instruction ID: 715ce66db1f8fe9e73cc284acd45a0d48732cd6371a8948da8b446a2da4c5baa
              • Opcode Fuzzy Hash: fe8dfbd6a1facd0eaf8e9e3a58657dce574a7711dd20f3742aca84971c9e49e8
              • Instruction Fuzzy Hash: 8E11C032241241EFDB15EF19CD90F5ABBB8FF98B44F2400A5F9099B661C235ED01CBA0
              Function 01926259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: beac458cf54580bddf2a0f2da60aaf8a8da089f67864613438caf0b3882f3ea2
              • Instruction ID: 4635411233c90ec8ceffb28abf97d32a4a57b14bbb472f267becf995590b1c87
              • Opcode Fuzzy Hash: beac458cf54580bddf2a0f2da60aaf8a8da089f67864613438caf0b3882f3ea2
              • Instruction Fuzzy Hash: BC115A70541229ABDB25EF64CD42FE9B278EB95710F504194A71CE60E0DA709E85CF94
              Function 0192208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 185603de76091e6651a0ea192a09dc291607e5474fad469fa4120f2f04a3cc14
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 2701F132A002208BEF119B69D880FA2776ABFC4701F1944A9EE1D8F24ADA758C81C390
              Function 019A6050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b86cbad2b7b3bca6c7d6fdffaa052b4de02313cc4e52e9146d971f19a4178310
              • Instruction ID: 81ce9203327455963e7f931438c8266b892744d2fdc033a70f48863b1f9fb06d
              • Opcode Fuzzy Hash: b86cbad2b7b3bca6c7d6fdffaa052b4de02313cc4e52e9146d971f19a4178310
              • Instruction Fuzzy Hash: 78112977900119BBCB11DB95CC84DDFBB7CEF88258F044166E90AE7211EA34EA59CBE0
              Function 019B6500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f8598be142895e2a3587077c4c482490bd573c33c0685351edfa5da87acd790
              • Instruction ID: 1cc3061da8daf55654d31d41b4ca962af7546ab26458ada834622b586e9800d1
              • Opcode Fuzzy Hash: 3f8598be142895e2a3587077c4c482490bd573c33c0685351edfa5da87acd790
              • Instruction Fuzzy Hash: 5311A1366441469FD711CF58D940BE6BBB9FB9A314F088159E8488B315D772FC85CBA0
              Function 019AC810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c2aee37c5b98ef66c7ada0f11ec9c0cce3f5d05d9fb59b87c2842f6db06d6b6
              • Instruction ID: 35e5968b37d66041564a278e351b3c69eaaed4c17c13740ca91ec8337ad4365e
              • Opcode Fuzzy Hash: 5c2aee37c5b98ef66c7ada0f11ec9c0cce3f5d05d9fb59b87c2842f6db06d6b6
              • Instruction Fuzzy Hash: 1711E8B5E002099BCB04DFA9D545AAEBBF8FF58250F50406AE909E7351D674EA018BA4
              Function 019620F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e17b73e3aa70ceb7c8a2c355fb0fc7cdbe8fde55aabb3c936c9f6b756c2b6d34
              • Instruction ID: aa4152957e2b8f239db215df60203ece86f0d98bc9f0b86bcf5ac4fec0edcda2
              • Opcode Fuzzy Hash: e17b73e3aa70ceb7c8a2c355fb0fc7cdbe8fde55aabb3c936c9f6b756c2b6d34
              • Instruction Fuzzy Hash: 84118075A0020DEFCF15DFA8C851FAE7BB9FB85380F004059F9199B250D635AE11CBA0
              Function 0191C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 47535c51ae17248c77a4c9879bd56fc1f021a2d0e51cdf1c097b0a9849ef3a53
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 5C012832200749AFEF22DAAAC800FA777EDFFC6610F044819EA4E8B544DA70F541C750
              Function 0195E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b48f355334f9e1823bf8d78d8d79bac5220d8bcafecaae6f4b1653b5a3bfaef
              • Instruction ID: db43536d76c10ef7b599a460f886abfbb2399de26f4b596cd953411f85cd7627
              • Opcode Fuzzy Hash: 3b48f355334f9e1823bf8d78d8d79bac5220d8bcafecaae6f4b1653b5a3bfaef
              • Instruction Fuzzy Hash: 1801A272641A02BFD711AB7ECD84E57BBACFFD86A4B000669B50D83551DB64FD01C6E0
              Function 019B69C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4038f2be856e12f6ec452b8237a4cbf656611b5a2c81bd045d6962f935aa3755
              • Instruction ID: c04deaad38804856f4b023535e5158d4d138d6c5857079cf664acf83752c28af
              • Opcode Fuzzy Hash: 4038f2be856e12f6ec452b8237a4cbf656611b5a2c81bd045d6962f935aa3755
              • Instruction Fuzzy Hash: 2901FC322142069BD720DF6AD9C89E7FBACFF99760F114529E95D87280E730A911C7E1
              Function 019AC460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d06574377d0ceabef8180b02367ee41e394a3b3ec43ee3620ef1b0338e04dac
              • Instruction ID: 75d6dbfddaaed5e9eb9517322389163470859ac576a742328d4e052b2cda59bb
              • Opcode Fuzzy Hash: 5d06574377d0ceabef8180b02367ee41e394a3b3ec43ee3620ef1b0338e04dac
              • Instruction Fuzzy Hash: FE116D75A0020DEBDF15EFA8C844EAE7BB9FB88740F004059FD059B340DA39EA15CB90
              Function 019AC97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67c0ce0450cdef3539e31536ac3d44568c1f3e54d53b1ce0994cb84fa2341345
              • Instruction ID: bf58c8b929827e1bf3d60980edbfcad2da4cb67aa2a542979a7a8ead5dd726aa
              • Opcode Fuzzy Hash: 67c0ce0450cdef3539e31536ac3d44568c1f3e54d53b1ce0994cb84fa2341345
              • Instruction Fuzzy Hash: CE1139B16183099FC700DF69D44299BBBF8EFD9710F40491AF998D7391E634E901CBA2
              Function 019F4A80 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction ID: fc113fd0eecaac08dde62062537a7c053f350277b06f2641dc11c941889345f6
              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction Fuzzy Hash: 4D01FC32210A01AFDB21DA5DD844F57B7EAFFC5210F04481DE74ACB650DA70F844C754
              Function 019ACA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89bc051ecca0ae7146d1e2ad6fe595cf91f856170d6a8cefc951674fcb6cf9e9
              • Instruction ID: 88efb80426b863ad59f52f62ba3e5c0966b5c8d22a9d5035af23ae8c4a9e3935
              • Opcode Fuzzy Hash: 89bc051ecca0ae7146d1e2ad6fe595cf91f856170d6a8cefc951674fcb6cf9e9
              • Instruction Fuzzy Hash: E51179B16083089FC300DF69D44195BBBF8FF99350F00891AF998D73A0E630E900CBA2
              Function 0193E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 0a6ee81017e808ca47e8953d093bb8433de4bedd79fe2354150bcd983de78dc0
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 580178322046809FE322861DCA48F36BBECEF84765F0904A1F90DCB6A1D628DC40CA61
              Function 0191826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1baaed8deaadfe8d41d55e485bd52c34d129b40cb261417cd0e154d5f18e8e2b
              • Instruction ID: 82df50f1c67aa2b5b32d1e4179883de93ff72bd3a25cb125fc9680ef73581564
              • Opcode Fuzzy Hash: 1baaed8deaadfe8d41d55e485bd52c34d129b40cb261417cd0e154d5f18e8e2b
              • Instruction Fuzzy Hash: DA01F231B00609EFC715EF69D8009EEBBBCFF80260F4948299A09E7688DE30DD46C790
              Function 019CEB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: bdbee08ee2bce90dfb1e322d4e8b8f5218a0d8e922317e946d12e82e324c79fe
              • Instruction ID: 1d896c441bb8b79dec716e0d824eb0fa674f26169283421572c469ff65a28716
              • Opcode Fuzzy Hash: bdbee08ee2bce90dfb1e322d4e8b8f5218a0d8e922317e946d12e82e324c79fe
              • Instruction Fuzzy Hash: 3101A271244701AFD3319F1AD840F12BEA8EF95F60F05482EB24A9F390D6B0E8418B65
              Function 01922582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9df9971533f2139541be857b894abd05663da36c2ddd45862b1d7e318fd8879
              • Instruction ID: 3c2b53df9dadac9cb304c401b2154b13580d6e98eb363fda53ff6ef6b26f525e
              • Opcode Fuzzy Hash: f9df9971533f2139541be857b894abd05663da36c2ddd45862b1d7e318fd8879
              • Instruction Fuzzy Hash: 56F0F432A41B20B7C731EB5A8C40F07BAADEBC4B90F058028E60E97600CA30ED01CAB0
              Function 0194C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 54498fed3c5e3d3d22ce34662100be8ad232dc01cd0420ee2732ee940c9f642b
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 42F0C2B2600611AFE338CF4DDC40E57FBEEDBD5A80F058128A509C7220EA31ED04CB90
              Function 0191C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 266976396140c4f55115fd56117c8deaff8c20bd644c4e5ea1a24f52e9d75074
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 4DF02B332C4A37ABDB33565D4840F2BAA999FD1A64F1A0035F20D9B64CCA649D4397D1
              Function 019F634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 761641273695bc20c2d696475386123691840581f67242b9a77df9edb976f0ec
              • Instruction ID: 67f5e26536fa029a3a5ee51b677656070945a858a7de3f88b410aceedf91436e
              • Opcode Fuzzy Hash: 761641273695bc20c2d696475386123691840581f67242b9a77df9edb976f0ec
              • Instruction Fuzzy Hash: 76014F75E10209EFDB04DFA9E551AAEB7F8FF98714F10406AFA18E7350D6749A018BA0
              Function 019F62D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b608f197afc05b3d7a10f8e21e4b129d15c087439ae2a2ba2508f9f0d2541b1
              • Instruction ID: ad33a61bf19b33aacce25ffc57f13480f725d4af7a69906868f38ac34648c20a
              • Opcode Fuzzy Hash: 3b608f197afc05b3d7a10f8e21e4b129d15c087439ae2a2ba2508f9f0d2541b1
              • Instruction Fuzzy Hash: 77014471E00209EFDB04DFA9D44599EB7F8FF58344F50405AFA14E7350D6749E018BA0
              Function 019F625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e090772f844f93bb9469e6a90d9d62967c396819a36c8d3c32638c446023b4a6
              • Instruction ID: 2973af42d1f02c11ec467c38cfe6bbf65e06ffc80af986f71376e28ef7ce7da2
              • Opcode Fuzzy Hash: e090772f844f93bb9469e6a90d9d62967c396819a36c8d3c32638c446023b4a6
              • Instruction Fuzzy Hash: 68014475E10209EFCB04DFA9D4519AEB7F8FF98304F10405AF914E7351D6749A01CBA0
              Function 019F61E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64863296f231842a0934deeb4f83905b4949c2ad62440b7812b11cdfeac179a7
              • Instruction ID: 39723e732636bd834110e692a91eb21d2cb06fa909da41bd5c303ba971b90e6a
              • Opcode Fuzzy Hash: 64863296f231842a0934deeb4f83905b4949c2ad62440b7812b11cdfeac179a7
              • Instruction Fuzzy Hash: 16014F71A00249ABDB04DFA9D445AEEBBF8BF58310F14405EE505E7380D774EA01CBA4
              Function 019A63C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: b430503fdbe2eba3657440031e46f8aa4194543a3150c1a8b58380315deed9e3
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 09F06D7220001DBFEF019F94CD80DAF7BBEEB992D8B104124FA1492020D231DE21ABA0
              Function 019AA4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2cc13d306d33d6f504cb2f0fb5a5650e78e4cd7cd052ab7041939c630bd0eb65
              • Instruction ID: 8e65861bac0e46b00b846fba40c59dffe065455f9189502bd34d8cc84b26c568
              • Opcode Fuzzy Hash: 2cc13d306d33d6f504cb2f0fb5a5650e78e4cd7cd052ab7041939c630bd0eb65
              • Instruction Fuzzy Hash: 1F019736100209ABCF229F84DC40EDE3FAAFB4C764F068101FE1866220C332D975EB81
              Function 0191C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf5d07ec766ce3a796f22203f3b676c5824c1c2c7b19d6a36ebe40aff263776e
              • Instruction ID: d593235ed88bdfebd4406a2888f8d1e3b12a98c930c6992fb649876be5fe81d7
              • Opcode Fuzzy Hash: bf5d07ec766ce3a796f22203f3b676c5824c1c2c7b19d6a36ebe40aff263776e
              • Instruction Fuzzy Hash: 60F024713C42455BF31096298C01F32329AFBC4762F65802AEB0DCF2C9EA70EC8183A4
              Function 0195656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e2259f853dedeecd20ed23ff0e5d9ed166ba799ad2ae9b917206bcb8822105dc
              • Instruction ID: 665ef48de6fe12476a801909b93ec382f8d22c718a4b0a7c96d204c96db8d7e3
              • Opcode Fuzzy Hash: e2259f853dedeecd20ed23ff0e5d9ed166ba799ad2ae9b917206bcb8822105dc
              • Instruction Fuzzy Hash: CA0181706806819BE763DB3CCE58F2937A8BB81B48F980590FA09DB6D6D728D403C720
              Function 019C437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: b94fc260dbc7fe0bde328dd3879869d19906837e3033b7e157c1189ccbf3c1f5
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: B4F0E93138191347F775AA2E8930B2EAA599FD0D02B06062C958DCB680DF20DC008792
              Function 019AC89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bb31dd64b9ee428fafca35666c03e62e0358399e11833f07cc992e4218014ab
              • Instruction ID: 96215d9de31244f8ba7bf13dfff825eba5e89f4ddfd6abd891a64a5e5dd6a542
              • Opcode Fuzzy Hash: 8bb31dd64b9ee428fafca35666c03e62e0358399e11833f07cc992e4218014ab
              • Instruction Fuzzy Hash: 00F0C2706093049FC310EF68C446E1BB7E8FF98714F80465AB89CDB394E634EA01CB96
              Function 019AE872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: f3624d0b6a75fae2187018149558dc3fea6b85257c8d203e00d4a0a66ddbcaaa
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: 4FF08233B516129BE3319A4ECC80F16B7ACEFD5A60F9A0465AA0C9B260C764EC05C7D1
              Function 01950854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: aca3ee57898679dc18e5cf3062593d23bd0894404a6febf242483b61f0dce3ba
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: 6FF02472600204AFE324DB25CC00F46B6E9FF98310F188078AA48D71A0FAB1ED00C754
              Function 019AC912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b77a6559698f420aa9bcdcde4c5d4dd9db2988446ba4ad98b8d04ddda633deaf
              • Instruction ID: a350d7ff4180d8dd4396848111358dfa1b2a1458da6ebd0fff534ea5473afa02
              • Opcode Fuzzy Hash: b77a6559698f420aa9bcdcde4c5d4dd9db2988446ba4ad98b8d04ddda633deaf
              • Instruction Fuzzy Hash: 1DF04F74A0124D9FDB04EFA9D515A9EB7B8EF98300F408055A959EB385DA38EA05CBA0
              Function 019247FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fa0e68a008fc25540e514f42ad6e46ae827c3643a5fd1e6c17ac71f38fe8713
              • Instruction ID: 8f2a026c3a713f6552189613927ea6f6bed778dcd09cbe2eafc2269ed65005df
              • Opcode Fuzzy Hash: 8fa0e68a008fc25540e514f42ad6e46ae827c3643a5fd1e6c17ac71f38fe8713
              • Instruction Fuzzy Hash: 40F0BE319366F19FE732CB6CC044F62BFDC9B40622F09896ADA8D87516C7A4D884CA53
              Function 019E0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e8c39f926951e1ec614ca64ea591b6348d429a1d31d9dcf23562de4dc7e3991
              • Instruction ID: f45e927420ed274f4db0eb79933ad07e5ea03a936251c86f2578489ef376ef11
              • Opcode Fuzzy Hash: 0e8c39f926951e1ec614ca64ea591b6348d429a1d31d9dcf23562de4dc7e3991
              • Instruction Fuzzy Hash: 60F0A76A51568107CF335B3CB4593D17BAAB792110F1E1489E4BDEF205C5F4C483C324
              Function 0195C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 98b20eeefd2b0f1e0cdb0f6431c7535224055eb46a1d4c3a3139946024a3ee79
              • Instruction ID: 0ff4c449a4bebf5ef975491765d33c18d163cc89cea84576a13078029af2ad29
              • Opcode Fuzzy Hash: 98b20eeefd2b0f1e0cdb0f6431c7535224055eb46a1d4c3a3139946024a3ee79
              • Instruction Fuzzy Hash: AFF0E2755137579FE3A2DB1CC148B557BDC9B40BA2F099825DD0ED7512C260FA80CB71
              Function 01962619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: e5f8efd572e521e1a59067531a7005d9155433c2d6c98f990c9f4c561ef7bd92
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: B9E0D8323006012BE7219F598CC4F47776EDFD6B10F05007AB5085F251C9E2DC0983B4
              Function 019B6030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 38f14e0938e1454675770342fb124cdd2a16cce2551e3cd4b9b2f2d990e1aa3d
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: FEF03072104204AFE3218F0BDA84FA2BBF8EB45365F46C429E60D9B561D379FC40CBA4
              Function 01920710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: a1018734604166c4b41ee5aa59ed28a4f054ffed48d96afd8c1ebb19d2af2850
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: D6F0ED7A2043559BEB16CF1AD440AA57BACFB81360F084494F84A8B301EB31EA82CB90
              Function 019549D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: 39dd8ad2226e9b00e975f72c016d9a5b6f52f923ad4627f486ed7e6a6f942413
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: 89E0D832244145ABD3F19A598800F6677A9DBD47A1F160429EA0CAB150FB70DCC0C7E8
              Function 019F4164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6975a62cb2646cd9414604a921f768cf0dc308c20724ffe42d58b1b7aeb37cfd
              • Instruction ID: 534653500375a491893f3beeeaa17ff52bf8709ce58382553d53868e173269a3
              • Opcode Fuzzy Hash: 6975a62cb2646cd9414604a921f768cf0dc308c20724ffe42d58b1b7aeb37cfd
              • Instruction Fuzzy Hash: 9CF06531B255919FEB72D72CD544B5777E8BB60631F5A056CD60987A12C724EC40C750
              Function 019C678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: b592724eb891cdb8370449b0317ad7f22a7e867297c1f86fc45b658e83fb802d
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: 9FE0DF32A00214BBEB2197998D05F9ABEBCDF94EA1F050058BA08E71A0E530EE00C690
              Function 019F08C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: 9e58499e6b0cb1967cfa1517fdc62a60c6f6bb3a1369f19906999faeb5a878a4
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: 4FE09B31650350ABCB258A1DC140A53B7EDDFD5662F1D807DEA0D47613C232F842C7D1
              Function 019225E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 54c532b31ba24198a79b885280071c55c7151856f16b33cbe6f2ec9d8f0b9252
              • Instruction ID: b5cafba580a70e816597c8ea5fae30eb5aa3e3e61e364a6db7b9e0fb936a8f6a
              • Opcode Fuzzy Hash: 54c532b31ba24198a79b885280071c55c7151856f16b33cbe6f2ec9d8f0b9252
              • Instruction Fuzzy Hash: CDE092321009549BC321BB29DD01F8A779AEBE0760F014525F11957190CA34A910C794
              Function 019DA456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: ec7c64075bfc1420b35c664cc40c302a4990e74925e8e204f30cff2e3fe709d5
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: 53E0ED31010651DFE7366B2AD958B527AA9BF90B52F14C829A19E124B0C7759891DA40
              Function 019A4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 7b613b0263e6ca8749b8aacedc6479b908116641a76faff8f55fd12facbe8f3a
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: EDE0C2343403158FE715CF19C040B627BBABFD5A11F68C068A9488F205EB72E842DB80
              Function 0195CA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c6b23b26df64c8fc5732a701e3e42544464f2ed3c35a7a73fe24b5c8d1f95e6
              • Instruction ID: 6c08069d35abae7adb03b75b0309aeb7eb84ce362fcb54371884d21d156c5a62
              • Opcode Fuzzy Hash: 6c6b23b26df64c8fc5732a701e3e42544464f2ed3c35a7a73fe24b5c8d1f95e6
              • Instruction Fuzzy Hash: 4CD02B328811317ACFB6E1187C04FD33E5D9B84220F064870F90CA2020D564DC81C3D4
              Function 0191823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 08dbd506de28210df8659b7d79ff357b3ef7ac118b8d3e83e4ce94d157440f5e
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 86E08C32440A14EEDB332F25DC00F9176A9FFD5B91F204C29E08E160A88674A8C1EA54
              Function 01922050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc03388ef158e4b110c41a8ec7bc7c68579da3fa7ad5ca4abc78e485205021e6
              • Instruction ID: 160238e7343cd7f3f83d40fc3dd61a990ecf77ccfd5e3ff6ea20d1ac5e425738
              • Opcode Fuzzy Hash: dc03388ef158e4b110c41a8ec7bc7c68579da3fa7ad5ca4abc78e485205021e6
              • Instruction Fuzzy Hash: E6E0C2332004606BC321FB5DDD00F4A739EEFE4660F010221F15987294CA64AD01C794
              Function 01958A90 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction ID: b161df38f911c5eae944a696f43a9fab4cdcba44b4d1168fcf9beeba47914174
              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction Fuzzy Hash: 8AE08633111A1487C728DE18D515B7277A8EF45721F09463EAA5757780C534E544C794
              Function 01976AA4 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction ID: 0b8a17162e87fcd1d08b68d0112f93e9c8f90d82868be4cec2e3452bea3f04c1
              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction Fuzzy Hash: 8BD05E36511A50AFD3329F1BEA00C13BBF9FFC4A11705062EA54983920C670AC06CBA0
              Function 0195E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 900e05ff6b4f999b2ac198deb25065fd8e22bedf54dcbcd04558172859e8638c
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: EDD0A932654620ABDB32AA1CFC00FC333E8BB8C721F060499B008C7050C364AC81CA84
              Function 0199E908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: 0ea3e4455b25689865c6e1fbbf94b778d18ee4f1976f4ebbb26ea1c0356bc1f2
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 39E0EC359506849BDF16DF5DC640F5ABBB9BB94B40F150054E54C5B664C624A900CB40
              Function 0191A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: 225261d14b7ee2243cc81b4a0f5a36e8b167022df2dfe6e5f0ff85876a5f6029
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 7AD022322270B093DB2856556900F636909ABC1A90F0A002C380E93804C0088C82C2E0
              Function 0195A830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: f552b8f997131eb63be269e8de54e92d7e0d51d3487edfaf1cfc3723d21196b7
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: B1D012371E054DBBCB119F66DC01F957BA9E7A4BA0F444020B908875A0C63AE950D584
              Function 0195CA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf0b1db098920263e0fed003e22889aecfdad62d92856822aafe77fffb65af55
              • Instruction ID: a560ba3bb0a53c683fb083c5a3e794e1fb3fc5d671b2811158d59f6bffcbea69
              • Opcode Fuzzy Hash: bf0b1db098920263e0fed003e22889aecfdad62d92856822aafe77fffb65af55
              • Instruction Fuzzy Hash: CAD0A735555105CBDF1ACF0CC510D2E3B78FF60E42B40006CEB08A1020E328EC01C700
              Function 019302A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 25049fe4c3cbefb182cde1a2e6a1f7b7f2f7824d296bca4015e25f4da7840249
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: D7D0C935612E80CFD61BCB0CC5A4F1533E8BB84B45F850890F405CBB22D66CD940CA00
              Function 0195C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 768297987707b4eebd17346635236d0fd45a2f2aa7d0cfca76b45d55ae59d6ed
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: E7C012322A0648AFC712AA99CD01F027BA9EBE8B40F000021F6088B670C635E920EA84
              Function 01940310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 546b028e166bb73bafad4511475032c7da1db76b8ec9e4d67cf600446a65faff
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 30D01236100249EFCB01DF41C890D9A7B2AFBD8710F148019FD19076108A31ED62DB50
              Function 01920750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 7f7a5a7db0f8311c9b38ea986d6568cafd1ac727875a6138414a3951da9853f6
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 14C04C797415418FCF15DB1AD294F5577E8FB84751F1908D0E809CB721E624E901CA10
              Function 01964340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f38137d10b4a93bcfa6165509f00e773eee74ba2cb0038deb3748c82913a3230
              • Instruction ID: 070ff96570986c0185c841e02afe48045aa54be3cd3edff12e0e536fe9c105d3
              • Opcode Fuzzy Hash: f38137d10b4a93bcfa6165509f00e773eee74ba2cb0038deb3748c82913a3230
              • Instruction Fuzzy Hash: A09002316059001291447158488C5468049ABE0301B55C021E0464554CCA148A565361
              Function 01964650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d698daaf56cd4e7bec814ea0343a9ea42671d7efdc129a0dabe2d1f4009670a
              • Instruction ID: 76a0adf76f41d587195e318b4065bfca8d15936f2bdc16a0268e6a1a5e8720c5
              • Opcode Fuzzy Hash: 2d698daaf56cd4e7bec814ea0343a9ea42671d7efdc129a0dabe2d1f4009670a
              • Instruction Fuzzy Hash: 1B9002616016004241447158480C406A049ABE1301395C125A0594560CC61889559369
              Function 01962B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acc637d34963430cebd14575f2e4f59768f7355a1dd9dde4678d824ec3b09bb1
              • Instruction ID: e6fb3d4d86d4bccb9e192b3a631668a532b864570cf7786442d05cfeadce279c
              • Opcode Fuzzy Hash: acc637d34963430cebd14575f2e4f59768f7355a1dd9dde4678d824ec3b09bb1
              • Instruction Fuzzy Hash: 1490023120150802D1087158480C68640499BD0301F55C021A6064655ED66589917231
              Function 01962BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5c5100859af43574aa3f123535c5f5ee749b311a0d148b2f0398788bc6c0be6
              • Instruction ID: f4c6b847304d6b83dba36ab150a3ebbf2c7bd6b72b215898f61c7e706a6e006a
              • Opcode Fuzzy Hash: f5c5100859af43574aa3f123535c5f5ee749b311a0d148b2f0398788bc6c0be6
              • Instruction Fuzzy Hash: D190023160550802D1547158441C74640499BD0301F55C021A0064654DC7558B5577A1
              Function 01962BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15f379328513c7029fe1b2346d6038a4e03c94e8ba65720391fb6b0c89f367a0
              • Instruction ID: e5082e4c21ed0b5ac6bdbd6da22fccfce199bb2d398081c66fa9420e131e8a92
              • Opcode Fuzzy Hash: 15f379328513c7029fe1b2346d6038a4e03c94e8ba65720391fb6b0c89f367a0
              • Instruction Fuzzy Hash: C090023120150802D1847158440C64A40499BD1301F95C025A0065654DCA158B5977A1
              Function 01962BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a4400de2ebbb0072e63659e02272062b49532b53ea4e4ff81b1c288a7105bcc
              • Instruction ID: 48abfcf06e384293e94804e5452f1925c3b85d63fb54250430a6a4b4cf725337
              • Opcode Fuzzy Hash: 4a4400de2ebbb0072e63659e02272062b49532b53ea4e4ff81b1c288a7105bcc
              • Instruction Fuzzy Hash: F190023120554842D1447158440CA4640599BD0305F55C021A00A4694DD6258E55B761
              Function 01962AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9daab9d6ba782ae5dbfbe503167ab1c565c561ac947cae6a8703b5b9ee762d4
              • Instruction ID: 7de4f22ba3f9dcf31acf0a6f548b414a9d7e6edd1396f3e69a01560958cfb8ef
              • Opcode Fuzzy Hash: b9daab9d6ba782ae5dbfbe503167ab1c565c561ac947cae6a8703b5b9ee762d4
              • Instruction Fuzzy Hash: F59002A1201640924504B258840CB0A85499BE0201B55C026E1094560CC52589519235
              Function 01962AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a4e98ef9be17a23fd888ea333dd87ed60895932344b9feea4a6822fd484cd46
              • Instruction ID: 2e74366b9c44751d1d6d0cfd8e3b527df7a2da38daceb65f8d084e22b9599dba
              • Opcode Fuzzy Hash: 1a4e98ef9be17a23fd888ea333dd87ed60895932344b9feea4a6822fd484cd46
              • Instruction Fuzzy Hash: FD90043531150003010DF55C070C50740CFDFD5351355C031F1055550CD731CD715331
              Function 01962AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a52f9d2c72722e3ad5284e9cd2732d3a318b72e93c22ce754b847a6536489fd
              • Instruction ID: 246016e3d9df645862b28439ebbf99e8a906eca566e9c07a342d9635a76d21ee
              • Opcode Fuzzy Hash: 8a52f9d2c72722e3ad5284e9cd2732d3a318b72e93c22ce754b847a6536489fd
              • Instruction Fuzzy Hash: BF900225221500020149B558060C50B4489ABD6351395C025F1456590CC62189655321
              Function 01962DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6cb6574275aa1c2b71caa68c098d7abc6b47b7b7a7fa305b34adaebe3a31d5ea
              • Instruction ID: 8f964f42733a81c2f58b6237d15a3de22e2ee53d0c40934c3c2b2a98f02ebe31
              • Opcode Fuzzy Hash: 6cb6574275aa1c2b71caa68c098d7abc6b47b7b7a7fa305b34adaebe3a31d5ea
              • Instruction Fuzzy Hash: B090023124150402D1457158440C606404DABD0241F95C022A0464554EC6558B56AB61
              Function 01962DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64cbbbd8047bdaae3356081d84c185589ac9466596386f6719ffeecda4be0c37
              • Instruction ID: b3de83bdf661cca8c0613cb1e55caef9a9894fb228ca584fa5d3dff5419bdba7
              • Opcode Fuzzy Hash: 64cbbbd8047bdaae3356081d84c185589ac9466596386f6719ffeecda4be0c37
              • Instruction Fuzzy Hash: E2900221242541525549B158440C507804AABE0241795C022A1454950CC5269956D721
              Function 01962D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: efe0862a06dfe77b79e1ef7f70aa9aba771a0962412f1d6a4011bb4cbe8bacb1
              • Instruction ID: 3dea46950918ae88ac786db5aab1ae911f4a7a8d24cebb0cb7bd46cddd32ab42
              • Opcode Fuzzy Hash: efe0862a06dfe77b79e1ef7f70aa9aba771a0962412f1d6a4011bb4cbe8bacb1
              • Instruction Fuzzy Hash: 2690022921350002D1847158540C60A40499BD1202F95D425A0055558CC91589695321
              Function 01962D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 046691a736696f2cfd66836e1b73e49d355d0a18c4e45dcd9f7ae0ea2008cef2
              • Instruction ID: 9fc3f1d32dee5c9ba88400df302c9063158b395069f8b05418148eda814615fe
              • Opcode Fuzzy Hash: 046691a736696f2cfd66836e1b73e49d355d0a18c4e45dcd9f7ae0ea2008cef2
              • Instruction Fuzzy Hash: EE90022120554442D1047558540CA0640499BD0205F55D021A10A4595DC6358951A231
              Function 01962D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db6c6883719b160f831cfd99f957b3f877860bb26bd4497aa8eeac3328b4056
              • Instruction ID: 635c2c1770f10acb136f364a36ebd76bfa604cfbc58604df639a29da102a554a
              • Opcode Fuzzy Hash: 0db6c6883719b160f831cfd99f957b3f877860bb26bd4497aa8eeac3328b4056
              • Instruction Fuzzy Hash: 3C90022130150003D1447158541C6068049EBE1301F55D021E0454554CD91589565322
              Function 01962CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9a263e105675ea5f04de27f99b60d542809377a5e904240564df4eeb8e5a921
              • Instruction ID: 920a7e2d08b20bb35d9e2f8d217d4d5c075788427a5dbec324d86c80029fa766
              • Opcode Fuzzy Hash: b9a263e105675ea5f04de27f99b60d542809377a5e904240564df4eeb8e5a921
              • Instruction Fuzzy Hash: 6F90023120150402D1047598540C64640499BE0301F55D021A5064555EC66589916231
              Function 01962CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5afc261609ba78487d093a765f3c10cb4bcb89973b1876b2f1ee003c26c6bbb6
              • Instruction ID: 78a572ea9b9ba316a7abb236346c3fddc11bcaa07090d79a257dbd4b8e852cb0
              • Opcode Fuzzy Hash: 5afc261609ba78487d093a765f3c10cb4bcb89973b1876b2f1ee003c26c6bbb6
              • Instruction Fuzzy Hash: E190022160550402D1447158541C70640599BD0201F55D021A0064554DC6598B5567A1
              Function 01962CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70709a383806dd40c5e54312dfe65f4d30767593d0ccde19a7c347532c142d48
              • Instruction ID: fe238772249a8d381f74624a3a65623f7f1fea5e6a4b62cf22cc1a7f1cc3ae56
              • Opcode Fuzzy Hash: 70709a383806dd40c5e54312dfe65f4d30767593d0ccde19a7c347532c142d48
              • Instruction Fuzzy Hash: EE90043130150403D104715C550C707404DDFD0301F55D431F047455CDD757CD517331
              Function 01962C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05569ae4026dcd95f91e8031e3cc01ff36cefd6ee80473a9c0d0064a42585aa2
              • Instruction ID: 67523e19542b3806c61310173cb4d48e7e0175c4e077466e05fd4a6c62c5c320
              • Opcode Fuzzy Hash: 05569ae4026dcd95f91e8031e3cc01ff36cefd6ee80473a9c0d0064a42585aa2
              • Instruction Fuzzy Hash: D990023120150842D1047158440CB4640499BE0301F55C026A0164654DC615C9517621
              Function 01962F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a807197ec12f7df2785ddc84948c45065217bbe3c9aebca8e85f0969eb773d9
              • Instruction ID: 766c49ecd2851af93006ad01ec78266555685013ff2f75154e7439990ba88f08
              • Opcode Fuzzy Hash: 7a807197ec12f7df2785ddc84948c45065217bbe3c9aebca8e85f0969eb773d9
              • Instruction Fuzzy Hash: E390023120190402D1047158481C70B40499BD0302F55C021A11A4555DC62589516671
              Function 01962FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3827f71866f97da4f1d3d785d4c2c1a51fac6ecd30466efc75ed44c77bec6483
              • Instruction ID: c841212334b422d21c65110abc9f3cc749e7a289fe7a99a4cd2213f92c5e78a9
              • Opcode Fuzzy Hash: 3827f71866f97da4f1d3d785d4c2c1a51fac6ecd30466efc75ed44c77bec6483
              • Instruction Fuzzy Hash: D29002216015004241447168884C9068049BFE1211755C131A09D8550DC55989655765
              Function 01962FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c996e58b55747eace33ffd0bf4acdf47f611abb1ba31c0845084e34937ff2369
              • Instruction ID: 9b98d7c0ced3f5d0783ada79de48f393e3ff40d9714178a064cd8d79a4fae8e7
              • Opcode Fuzzy Hash: c996e58b55747eace33ffd0bf4acdf47f611abb1ba31c0845084e34937ff2369
              • Instruction Fuzzy Hash: 1990023120190402D1047158480C74740499BD0302F55C021A51A4555EC665C9916631
              Function 01962FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dcf2b51e83158da1d2d69c91163151ce07347c2cbaca582a45d35aaff3f4e5e3
              • Instruction ID: 723fa40aa9a0a748d49eaa0df8a6737ea0d0473c36eec1809108a35613ebc0a4
              • Opcode Fuzzy Hash: dcf2b51e83158da1d2d69c91163151ce07347c2cbaca582a45d35aaff3f4e5e3
              • Instruction Fuzzy Hash: E3900221211D0042D20475684C1CB0740499BD0303F55C125A0194554CC91589615621
              Function 01962F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3370de3e00d3173837367a134d4e2a32ab208797494e3a485cbff511852e8d3
              • Instruction ID: 3e64cc3ebf16b7621ac5b2152616fb4828949fff35679c4c11d2286db863d823
              • Opcode Fuzzy Hash: f3370de3e00d3173837367a134d4e2a32ab208797494e3a485cbff511852e8d3
              • Instruction Fuzzy Hash: B790026134150442D1047158441CB064049DBE1301F55C025E10A4554DC619CD526226
              Function 01962F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4ce263314d0b09f889cb0b00a7e09013e4129effa4462bfad9d6005d755d749
              • Instruction ID: 551eddaa89f872bd0d022bdcaa0cda98b1dc29022462b02bb7f41a1f5b54fcb7
              • Opcode Fuzzy Hash: d4ce263314d0b09f889cb0b00a7e09013e4129effa4462bfad9d6005d755d749
              • Instruction Fuzzy Hash: 0990026121150042D1087158440C70640899BE1201F55C022A2194554CC5298D615225
              Function 01962E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 130fe34af1174291cabe8a3b018ce40235b73e07aaa4fb68bdd25f0efa5dc897
              • Instruction ID: 5553ae2fe33a9c17aa8b2991e4759d93a28ec863d2ee2e7aae9ede52aa40bbce
              • Opcode Fuzzy Hash: 130fe34af1174291cabe8a3b018ce40235b73e07aaa4fb68bdd25f0efa5dc897
              • Instruction Fuzzy Hash: D690022160150502D1057158440C616404E9BD0241F95C032A1064555ECA258A92A231
              Function 01962EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6dbd742afa1c9e41fadafe9bd56b37042034595df33c136bb11defa54390fb30
              • Instruction ID: f6ba6a97fe0216b1a22cd42315c10e7d2c6ea576d1d145e07165fadbdf978126
              • Opcode Fuzzy Hash: 6dbd742afa1c9e41fadafe9bd56b37042034595df33c136bb11defa54390fb30
              • Instruction Fuzzy Hash: 6590027120150402D1447158440C74640499BD0301F55C021A50A4554EC6598ED56765
              Function 01962EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fcbff25f70fb9340222a7c555bd21dadca9f2ad20fa5f26e91991f194109e863
              • Instruction ID: 6e104af968ad0f356c198c1fb025d33821a427a40cd7b4604770e680e04387cd
              • Opcode Fuzzy Hash: fcbff25f70fb9340222a7c555bd21dadca9f2ad20fa5f26e91991f194109e863
              • Instruction Fuzzy Hash: 9090026120190403D1447558480C60740499BD0302F55C021A20A4555ECA298D516235
              Function 01962E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f6d69c1df9b5025b720698e9cdc111c4f4293ba64a062eb2c5c32cfe5808161
              • Instruction ID: 80d15999e1ea31b36ced420c32cd2c8957c31ad7660e2dd354fe3f434e4663e4
              • Opcode Fuzzy Hash: 1f6d69c1df9b5025b720698e9cdc111c4f4293ba64a062eb2c5c32cfe5808161
              • Instruction Fuzzy Hash: BD90022130150402D1067158441C606404DDBD1345F95C022E1464555DC6258A53A232
              Function 01963090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e002b18b94efbc924911e3b894769f6aaf95c3fa11adcf58af8407c261b55945
              • Instruction ID: 8aa3fe67a215e499599dbece5de467ab99add0d63eaf04d8a099c5ba24c08dce
              • Opcode Fuzzy Hash: e002b18b94efbc924911e3b894769f6aaf95c3fa11adcf58af8407c261b55945
              • Instruction Fuzzy Hash: CF90022124150802D1447158841C707404ADBD0601F55C021A0064554DC6168A6567B1
              Function 01963010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39d70a668e5567f53649b5373b2d4212e9923c18b650e2009e1d63a9b556fe4c
              • Instruction ID: 1306911f0e41a41d968bde14ced3caf9a2e44cbf88bf9469835fe45882479f1b
              • Opcode Fuzzy Hash: 39d70a668e5567f53649b5373b2d4212e9923c18b650e2009e1d63a9b556fe4c
              • Instruction Fuzzy Hash: 0490022120194442D1447258480CB0F81499BE1202F95C029A4196554CC91589555721
              Function 019639B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1424cb7ced1e10318959f5eb7870d9c5a98bb52ada663aa5a9f86b11e0f35521
              • Instruction ID: 72a917bb7599699973a9f2b000238eeda2ab0206b422f38795811f821f544bf5
              • Opcode Fuzzy Hash: 1424cb7ced1e10318959f5eb7870d9c5a98bb52ada663aa5a9f86b11e0f35521
              • Instruction Fuzzy Hash: B890022124555102D154715C440C6168049BBE0201F55C031A0854594DC55589556321
              Function 01963D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e4112ff87fc0ebc95b4baa77ba606590b0ecac290e8c12d43aeac143da24d44c
              • Instruction ID: 92b835a89ecf605094bcb984fea1b8dd4f00248f07dec3bb2bfc1a359b05f355
              • Opcode Fuzzy Hash: e4112ff87fc0ebc95b4baa77ba606590b0ecac290e8c12d43aeac143da24d44c
              • Instruction Fuzzy Hash: F19002312025014295447258580CA4E81499BE1302B95D425A0055554CC91489615321
              Function 01963D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0922d167b1869cdb5ee7429ead6bfe1b842d02d426a0ce85921c364442a8b5d
              • Instruction ID: cf5c6792e618c0fb1cc39f5235c03458a43dfb2d4059a9b5e17bcb27d0c519cd
              • Opcode Fuzzy Hash: a0922d167b1869cdb5ee7429ead6bfe1b842d02d426a0ce85921c364442a8b5d
              • Instruction Fuzzy Hash: FB90023520150402D5147158580C646408A9BD0301F55D421A0464558DC65489A1A221
              Function 01962C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 64dd93b18073fb171142489e2d078bde61a18f686bc14a4a0fe1910d473d5460
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01962890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: f2eb0563d481106e97a5b985ee4f2bb7b61009eead70dc55ee89e8fb1afb2c36
              • Instruction ID: e74de5e02ab319e598a5788a4d1548cbb696e8bf48efe98f86ea3f4d5edf8fd2
              • Opcode Fuzzy Hash: f2eb0563d481106e97a5b985ee4f2bb7b61009eead70dc55ee89e8fb1afb2c36
              • Instruction Fuzzy Hash: 9D51D4B2A00116AFDB11DF9C899097EFBBCBB88241754C529E56DD7641D334DE40CBA1
              Function 019D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 91126317ac7baef9649076ab94eb5e28c8d9f89d181de17db363d6b70ff7b2f6
              • Instruction ID: 55fe9a7eec25cf2ac3ec531cd9fb7564c1f7b67220f801fef3a92b6110276d5b
              • Opcode Fuzzy Hash: 91126317ac7baef9649076ab94eb5e28c8d9f89d181de17db363d6b70ff7b2f6
              • Instruction Fuzzy Hash: 82511571A00646AECB31DF9DC99097FBBFCEF84201B44C869E99ED7641E674EA408760
              Function 01957630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • ExecuteOptions, xrefs: 019946A0
              • Execute=1, xrefs: 01994713
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019946FC
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01994655
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01994787
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01994742
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01994725
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 0fe686b166840e37684ec5515edf7d9e83eca5131b93a89d51be3ee1619ba7ba
              • Instruction ID: 7d3637f4a1718326971b2f2acb72d19c406c757734a5aecceb98f861ae815324
              • Opcode Fuzzy Hash: 0fe686b166840e37684ec5515edf7d9e83eca5131b93a89d51be3ee1619ba7ba
              • Instruction Fuzzy Hash: 56513931A0121AAEEF15EBE8EC85FAD77ACAF54304F4400A9DA0DB7180D7719B45CF61
              Function 019F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction ID: d3db804c4ad1db4e4f0156e4b6cbba04eb88253f462a24805d0d3b530e5f37aa
              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction Fuzzy Hash: 5A021571508342AFD309CF18C994E6BBBE9EFC8704F04892DFA994B264DB31E945CB52
              Function 0196B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: ee19f4abbc2c29ff2ff48aeec0ec0b4f81085ba473c007ff7f49f2a9e0818db9
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 0E81C230F0524A8EEF258E6CC8517FEBBBDAF45321F18451AD95BE7691E73488408B71
              Function 019D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 4b5f49604b728e689ad5dd78c0e542f8617b866000be49502d6c09696e68c531
              • Instruction ID: 90a4cefdcde9a22895b278d652eccd1ef3ed06bc6186afbe5f47ed3061ee2428
              • Opcode Fuzzy Hash: 4b5f49604b728e689ad5dd78c0e542f8617b866000be49502d6c09696e68c531
              • Instruction Fuzzy Hash: 0421357AE00119ABDB11DF79DC40AEEBBFCFF54654F484116E919E3204E730DA018BA1
              Function 0194F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 0199031E
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019902E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019902BD
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 23e99cd629569d6367df7f72af44d44214c09aa1c9236ab5ab78aac83db85540
              • Instruction ID: 252845fa34aa15af2b669445969e96c2c7c40e0750cf4c7973644951302cab28
              • Opcode Fuzzy Hash: 23e99cd629569d6367df7f72af44d44214c09aa1c9236ab5ab78aac83db85540
              • Instruction Fuzzy Hash: 02E1AD706047429FEB25CF2CC885F2ABBE8BF84314F180A59F5A98B2E1D774D945CB52
              Function 0195BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 01997BAC
              • RTL: Resource at %p, xrefs: 01997B8E
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01997B7F
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 7f6c07d9d7d7ebf707ae407d878af718f9454c5a980898f9b3b19d9aef39eeb9
              • Instruction ID: 4830bfa47d5841ed5b04a5b5ecda2332662194aaaa677a578a12b6e3d007db5e
              • Opcode Fuzzy Hash: 7f6c07d9d7d7ebf707ae407d878af718f9454c5a980898f9b3b19d9aef39eeb9
              • Instruction Fuzzy Hash: 6C41C2317007029FDB25DE29D840B6AB7EAEF98711F100A1DEE5EA7680DB71E4058B91
              Function 0195B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0199728C
              Strings
              • RTL: Re-Waiting, xrefs: 019972C1
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01997294
              • RTL: Resource at %p, xrefs: 019972A3
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 92580e12b59115f8cddc53472d9b2888d2599b895d39298fc630cfb1689195c0
              • Instruction ID: 69fc7be00a60f2fc1720073e6e7d7d0d53e4b976a54f69c92d862ebdf710b2ee
              • Opcode Fuzzy Hash: 92580e12b59115f8cddc53472d9b2888d2599b895d39298fc630cfb1689195c0
              • Instruction Fuzzy Hash: D841F431710206ABDB25CE69CC41F6ABBA5FF94711F100619FD5DA7240DB21E816CBD1
              Function 019D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: b8094a3e59f775e1bd1e9a8b6447ce3a519aefc32447f6541c3479f2443b6238
              • Instruction ID: e7326a50f30fab4e9343e4f6e6650b9cf340a6c4700cda8d6cc20398ee204d11
              • Opcode Fuzzy Hash: b8094a3e59f775e1bd1e9a8b6447ce3a519aefc32447f6541c3479f2443b6238
              • Instruction Fuzzy Hash: 8B317376A002199FDB20DF29CC40BEEB7BCAB54611F444556E94DE3200EF309A448BA0
              Function 01967D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: a474a88b8179f966e793e43784aea763e9afef06f3dcf0605bda5081af11b29e
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 8491D670E002069BEB29CFADC890ABEBBADEF44725F14491AE95DE72D0D73499408771
              Function 01929126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 472c6fc72625a01aecb6c759ecbd1126589f2ee162b712212acdfa8d07656fd8
              • Instruction ID: 85ee35552164863a98d0889c21608f8919eaa0759398bd95f96fd794c3c5e0c6
              • Opcode Fuzzy Hash: 472c6fc72625a01aecb6c759ecbd1126589f2ee162b712212acdfa8d07656fd8
              • Instruction Fuzzy Hash: A9811975D002799BDB31DB54CC44BEABAB8AF49714F1041EAEA1DB7240D7709E85CFA0
              Function 019ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 019ACFBD
              Strings
              Memory Dump Source
              • Source File: 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_11_2_18f0000_PO#86637.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4Qw@4Qw
              • API String ID: 4062629308-2383119779
              • Opcode ID: 9938afca379be3cb8d1f71a1816f923f6521a913f4f963022d04871ada954842
              • Instruction ID: 96a7fed9ebe167b10b79ced584561e20a320a0f062dbca1561162129e699c918
              • Opcode Fuzzy Hash: 9938afca379be3cb8d1f71a1816f923f6521a913f4f963022d04871ada954842
              • Instruction Fuzzy Hash: 4A41E475940225EFDB21DFE9C840AADBBF8FF98B10F00442AE909DB254D734D905CBA1

              Execution Graph

              Execution Coverage:8.8%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:132
              Total number of Limit Nodes:2
              execution_graph 34978 7cff406 34982 7dcf3f8 34978->34982 34988 7dcf3e8 34978->34988 34979 7cff415 34983 7dcf40d 34982->34983 34994 7dcf438 34983->34994 35009 7dcf4e6 34983->35009 35025 7dcf429 34983->35025 34984 7dcf41f 34984->34979 34989 7dcf40d 34988->34989 34991 7dcf438 12 API calls 34989->34991 34992 7dcf429 12 API calls 34989->34992 34993 7dcf4e6 12 API calls 34989->34993 34990 7dcf41f 34990->34979 34991->34990 34992->34990 34993->34990 34995 7dcf452 34994->34995 34996 7dcf45a 34995->34996 35040 83103cf 34995->35040 35045 831016d 34995->35045 35049 83103ed 34995->35049 35054 831088d 34995->35054 35058 83102e4 34995->35058 35063 83105a2 34995->35063 35069 83107ba 34995->35069 35074 8310438 34995->35074 35078 8310619 34995->35078 35083 8310714 34995->35083 35088 8310670 34995->35088 35093 8310231 34995->35093 34996->34984 35010 7dcf474 35009->35010 35011 7dcf4e9 35009->35011 35012 7dcf45a 35010->35012 35013 8310231 2 API calls 35010->35013 35014 8310670 2 API calls 35010->35014 35015 8310714 2 API calls 35010->35015 35016 8310619 2 API calls 35010->35016 35017 8310438 2 API calls 35010->35017 35018 83107ba 2 API calls 35010->35018 35019 83105a2 2 API calls 35010->35019 35020 83102e4 2 API calls 35010->35020 35021 831088d 2 API calls 35010->35021 35022 83103ed 2 API calls 35010->35022 35023 831016d 2 API calls 35010->35023 35024 83103cf 2 API calls 35010->35024 35011->34984 35012->34984 35013->35012 35014->35012 35015->35012 35016->35012 35017->35012 35018->35012 35019->35012 35020->35012 35021->35012 35022->35012 35023->35012 35024->35012 35039 7dcf452 35025->35039 35026 7dcf45a 35026->34984 35027 8310231 2 API calls 35027->35026 35028 8310670 2 API calls 35028->35026 35029 8310714 2 API calls 35029->35026 35030 8310619 2 API calls 35030->35026 35031 8310438 2 API calls 35031->35026 35032 83107ba 2 API calls 35032->35026 35033 83105a2 2 API calls 35033->35026 35034 83102e4 2 API calls 35034->35026 35035 831088d 2 API calls 35035->35026 35036 83103ed 2 API calls 35036->35026 35037 831016d 2 API calls 35037->35026 35038 83103cf 2 API calls 35038->35026 35039->35026 35039->35027 35039->35028 35039->35029 35039->35030 35039->35031 35039->35032 35039->35033 35039->35034 35039->35035 35039->35036 35039->35037 35039->35038 35041 831080c 35040->35041 35097 7cfebf8 35041->35097 35101 7cfec00 35041->35101 35042 831082a 35105 7cfef3e 35045->35105 35109 7cfef48 35045->35109 35050 83103f3 35049->35050 35113 7cfddc8 35050->35113 35117 7cfddd0 35050->35117 35051 8310419 35121 7cfecb8 35054->35121 35125 7cfecc0 35054->35125 35055 83108b1 35060 83102ea 35058->35060 35059 8310490 35059->34996 35060->35059 35061 7cfecb8 WriteProcessMemory 35060->35061 35062 7cfecc0 WriteProcessMemory 35060->35062 35061->35060 35062->35060 35064 8310404 35063->35064 35065 83105c0 35064->35065 35067 7cfddc8 ResumeThread 35064->35067 35068 7cfddd0 ResumeThread 35064->35068 35066 8310419 35067->35066 35068->35066 35070 8310a3c 35069->35070 35129 7cfe2b8 35070->35129 35133 7cfe2b2 35070->35133 35071 83109f5 35071->34996 35137 7cfeda8 35074->35137 35141 7cfedb0 35074->35141 35075 831045a 35079 831061f 35078->35079 35080 8310490 35079->35080 35081 7cfecb8 WriteProcessMemory 35079->35081 35082 7cfecc0 WriteProcessMemory 35079->35082 35080->34996 35081->35079 35082->35079 35084 8310737 35083->35084 35086 7cfecb8 WriteProcessMemory 35084->35086 35087 7cfecc0 WriteProcessMemory 35084->35087 35085 83101c8 35085->34996 35086->35085 35087->35085 35089 8310230 35088->35089 35090 831024b 35088->35090 35091 7cfe2b8 Wow64SetThreadContext 35089->35091 35092 7cfe2b2 Wow64SetThreadContext 35089->35092 35091->35090 35092->35090 35095 7cfe2b8 Wow64SetThreadContext 35093->35095 35096 7cfe2b2 Wow64SetThreadContext 35093->35096 35094 831024b 35095->35094 35096->35094 35098 7cfec00 VirtualAllocEx 35097->35098 35100 7cfec7d 35098->35100 35100->35042 35102 7cfec40 VirtualAllocEx 35101->35102 35104 7cfec7d 35102->35104 35104->35042 35106 7cfef48 CreateProcessA 35105->35106 35108 7cff193 35106->35108 35110 7cfefd1 CreateProcessA 35109->35110 35112 7cff193 35110->35112 35114 7cfddd0 ResumeThread 35113->35114 35116 7cfde41 35114->35116 35116->35051 35118 7cfde10 ResumeThread 35117->35118 35120 7cfde41 35118->35120 35120->35051 35122 7cfecc0 WriteProcessMemory 35121->35122 35124 7cfed5f 35122->35124 35124->35055 35126 7cfed08 WriteProcessMemory 35125->35126 35128 7cfed5f 35126->35128 35128->35055 35130 7cfe2fd Wow64SetThreadContext 35129->35130 35132 7cfe345 35130->35132 35132->35071 35134 7cfe2b8 Wow64SetThreadContext 35133->35134 35136 7cfe345 35134->35136 35136->35071 35138 7cfedb0 ReadProcessMemory 35137->35138 35140 7cfee3f 35138->35140 35140->35075 35142 7cfedfb ReadProcessMemory 35141->35142 35144 7cfee3f 35142->35144 35144->35075 35145 312b778 35148 312b86a 35145->35148 35146 312b787 35149 312b881 35148->35149 35150 312b8a4 35148->35150 35149->35150 35151 312baa8 GetModuleHandleW 35149->35151 35150->35146 35152 312bad5 35151->35152 35152->35146

              Executed Functions

              Function 07DCE0D0 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e857780d9e65446abf07c2a3df18caff019a00648481888ac9a400b32b01871
              • Instruction ID: 79c7e6ed5bbf7ec7fa743fe59784e071b19b17e8eaab3b8073d6329c1b42ca1a
              • Opcode Fuzzy Hash: 8e857780d9e65446abf07c2a3df18caff019a00648481888ac9a400b32b01871
              • Instruction Fuzzy Hash: 0F81A0B4E112198FDB08DFE9C984AAEFBB2FF89300F14912AD415AB354D7749905CB64
              Function 07CFEF3E Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 7cfef3e-7cfefdd 3 7cfefdf-7cfefe9 0->3 4 7cff016-7cff036 0->4 3->4 5 7cfefeb-7cfefed 3->5 9 7cff06f-7cff09e 4->9 10 7cff038-7cff042 4->10 7 7cfefef-7cfeff9 5->7 8 7cff010-7cff013 5->8 11 7cfeffd-7cff00c 7->11 12 7cfeffb 7->12 8->4 20 7cff0d7-7cff191 CreateProcessA 9->20 21 7cff0a0-7cff0aa 9->21 10->9 14 7cff044-7cff046 10->14 11->11 13 7cff00e 11->13 12->11 13->8 15 7cff069-7cff06c 14->15 16 7cff048-7cff052 14->16 15->9 18 7cff056-7cff065 16->18 19 7cff054 16->19 18->18 23 7cff067 18->23 19->18 32 7cff19a-7cff220 20->32 33 7cff193-7cff199 20->33 21->20 22 7cff0ac-7cff0ae 21->22 24 7cff0d1-7cff0d4 22->24 25 7cff0b0-7cff0ba 22->25 23->15 24->20 27 7cff0be-7cff0cd 25->27 28 7cff0bc 25->28 27->27 29 7cff0cf 27->29 28->27 29->24 43 7cff222-7cff226 32->43 44 7cff230-7cff234 32->44 33->32 43->44 45 7cff228 43->45 46 7cff236-7cff23a 44->46 47 7cff244-7cff248 44->47 45->44 46->47 48 7cff23c 46->48 49 7cff24a-7cff24e 47->49 50 7cff258-7cff25c 47->50 48->47 49->50 51 7cff250 49->51 52 7cff26e-7cff275 50->52 53 7cff25e-7cff264 50->53 51->50 54 7cff28c 52->54 55 7cff277-7cff286 52->55 53->52 57 7cff28d 54->57 55->54 57->57
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CFF17E
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: f5ef0f65c2723e447d7ca5f1096e0b79fbbdd09aa50ef4895d5a56cc0d50fef5
              • Instruction ID: c52d8efddaae7fd6c0e4f35aeab2ab49c1cc79dede23c95a6571fec51d8df32d
              • Opcode Fuzzy Hash: f5ef0f65c2723e447d7ca5f1096e0b79fbbdd09aa50ef4895d5a56cc0d50fef5
              • Instruction Fuzzy Hash: 30A14CB1D0021ACFEB64CF68C8817EDBBB2EF48314F148169E919A7240DB759A85CF91
              Function 07CFEF48 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 58 7cfef48-7cfefdd 60 7cfefdf-7cfefe9 58->60 61 7cff016-7cff036 58->61 60->61 62 7cfefeb-7cfefed 60->62 66 7cff06f-7cff09e 61->66 67 7cff038-7cff042 61->67 64 7cfefef-7cfeff9 62->64 65 7cff010-7cff013 62->65 68 7cfeffd-7cff00c 64->68 69 7cfeffb 64->69 65->61 77 7cff0d7-7cff191 CreateProcessA 66->77 78 7cff0a0-7cff0aa 66->78 67->66 71 7cff044-7cff046 67->71 68->68 70 7cff00e 68->70 69->68 70->65 72 7cff069-7cff06c 71->72 73 7cff048-7cff052 71->73 72->66 75 7cff056-7cff065 73->75 76 7cff054 73->76 75->75 80 7cff067 75->80 76->75 89 7cff19a-7cff220 77->89 90 7cff193-7cff199 77->90 78->77 79 7cff0ac-7cff0ae 78->79 81 7cff0d1-7cff0d4 79->81 82 7cff0b0-7cff0ba 79->82 80->72 81->77 84 7cff0be-7cff0cd 82->84 85 7cff0bc 82->85 84->84 86 7cff0cf 84->86 85->84 86->81 100 7cff222-7cff226 89->100 101 7cff230-7cff234 89->101 90->89 100->101 102 7cff228 100->102 103 7cff236-7cff23a 101->103 104 7cff244-7cff248 101->104 102->101 103->104 105 7cff23c 103->105 106 7cff24a-7cff24e 104->106 107 7cff258-7cff25c 104->107 105->104 106->107 108 7cff250 106->108 109 7cff26e-7cff275 107->109 110 7cff25e-7cff264 107->110 108->107 111 7cff28c 109->111 112 7cff277-7cff286 109->112 110->109 114 7cff28d 111->114 112->111 114->114
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CFF17E
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 749fd0f3be07fc17083ba7feaad575b7348559d17dc9f07c06cf09ca49c9b758
              • Instruction ID: 8562d4bfb23cfd21c346ad56d3a008247592073534a416ef9610cc2200f8f0a9
              • Opcode Fuzzy Hash: 749fd0f3be07fc17083ba7feaad575b7348559d17dc9f07c06cf09ca49c9b758
              • Instruction Fuzzy Hash: 03915BB1D0021ACFEB64CF68C8807DEBBB2FF48314F148169E919A7240DB759A85CF91
              Function 0312B86A Relevance: 1.7, APIs: 1, Instructions: 197COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 115 312b86a-312b87f 116 312b881-312b88e call 312b27c 115->116 117 312b8ab-312b8af 115->117 122 312b890 116->122 123 312b8a4 116->123 118 312b8c3-312b904 117->118 119 312b8b1-312b8bb 117->119 126 312b911-312b91f 118->126 127 312b906-312b90e 118->127 119->118 170 312b896 call 312bb08 122->170 171 312b896 call 312baf8 122->171 123->117 129 312b943-312b945 126->129 130 312b921-312b926 126->130 127->126 128 312b89c-312b89e 128->123 133 312b9e0-312baa0 128->133 134 312b948-312b94f 129->134 131 312b931 130->131 132 312b928-312b92f call 312b288 130->132 136 312b933-312b941 131->136 132->136 165 312baa2-312baa5 133->165 166 312baa8-312bad3 GetModuleHandleW 133->166 137 312b951-312b959 134->137 138 312b95c-312b963 134->138 136->134 137->138 140 312b970-312b979 call 312b298 138->140 141 312b965-312b96d 138->141 146 312b986-312b98b 140->146 147 312b97b-312b983 140->147 141->140 149 312b9a9-312b9ad 146->149 150 312b98d-312b994 146->150 147->146 172 312b9b0 call 312bdd8 149->172 173 312b9b0 call 312bde8 149->173 150->149 151 312b996-312b9a6 call 312b2a8 call 312b2b8 150->151 151->149 154 312b9b3-312b9b6 156 312b9b8-312b9d6 154->156 157 312b9d9-312b9df 154->157 156->157 165->166 167 312bad5-312badb 166->167 168 312badc-312baf0 166->168 167->168 170->128 171->128 172->154 173->154
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0312BAC6
              Memory Dump Source
              • Source File: 0000000C.00000002.1545088065.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_3120000_Fyepece.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 1d9fe1df4e73b87b5234db3545903c6d7bbd24adf6071d592c6bc3228ee7d1f5
              • Instruction ID: d3f7d4eb014543aefd157ab3c78e6326fe419b8ffe1d6b7c7534197d325d633b
              • Opcode Fuzzy Hash: 1d9fe1df4e73b87b5234db3545903c6d7bbd24adf6071d592c6bc3228ee7d1f5
              • Instruction Fuzzy Hash: 218133B0A04B158FDB24DF6AD54076ABBF1FF88200F048A2DD48ADBA50DB75E855CF90
              Function 07CFECB8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 174 7cfecb8-7cfed0e 177 7cfed1e-7cfed5d WriteProcessMemory 174->177 178 7cfed10-7cfed1c 174->178 180 7cfed5f-7cfed65 177->180 181 7cfed66-7cfed96 177->181 178->177 180->181
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CFED50
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 619ea560314dc084fee40153eb073122168c6c38fea7d105cefd7ec4bd8e0aef
              • Instruction ID: fdaa436c8c09489ad30b2a588a493d7f56890bb9d282e2bc733c1cde5b97ee41
              • Opcode Fuzzy Hash: 619ea560314dc084fee40153eb073122168c6c38fea7d105cefd7ec4bd8e0aef
              • Instruction Fuzzy Hash: FD2137B59003599FDB10CFA9C885BEEBBF5BF48310F14842AE919A7250C7799544DBA0
              Function 07CFECC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 185 7cfecc0-7cfed0e 187 7cfed1e-7cfed5d WriteProcessMemory 185->187 188 7cfed10-7cfed1c 185->188 190 7cfed5f-7cfed65 187->190 191 7cfed66-7cfed96 187->191 188->187 190->191
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CFED50
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: bd75024feeca6173647ddc06c02ba11683cdc0254fb3e04a0bf3ac433dc66f32
              • Instruction ID: e5fe7c1d7c938d92dcf95d8cd3a5dbe68b1314d48b36da072de049d526417298
              • Opcode Fuzzy Hash: bd75024feeca6173647ddc06c02ba11683cdc0254fb3e04a0bf3ac433dc66f32
              • Instruction Fuzzy Hash: CB2139B19003599FDB10DFAAC881BDEBBF5FF48310F14842AE919A7250C7799944DFA0
              Function 07CFE2B2 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 195 7cfe2b2-7cfe303 198 7cfe305-7cfe311 195->198 199 7cfe313-7cfe343 Wow64SetThreadContext 195->199 198->199 201 7cfe34c-7cfe37c 199->201 202 7cfe345-7cfe34b 199->202 202->201
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CFE336
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 2e094b195a406a151dc308b36f5303c9f64309ec0295026222a1089a16a58ccd
              • Instruction ID: c94d4717d3300ebc4efa560ecb0a19da2bcb7aa30b4bf9d1f14bd85d87967acb
              • Opcode Fuzzy Hash: 2e094b195a406a151dc308b36f5303c9f64309ec0295026222a1089a16a58ccd
              • Instruction Fuzzy Hash: BC2138B1D003098FDB10DFAAC4857EEBBF4EF88620F54842ED559A7240CB799949CFA1
              Function 07CFEDA8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 206 7cfeda8-7cfee3d ReadProcessMemory 210 7cfee3f-7cfee45 206->210 211 7cfee46-7cfee76 206->211 210->211
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CFEE30
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: e882fd25acb52d077762986f66ad937999916d94b2107abe8c17a8c0db5c42dc
              • Instruction ID: 351a4e7566b7b353c38f8db6c333095e84139e7641f2966b92409f3f70687ccd
              • Opcode Fuzzy Hash: e882fd25acb52d077762986f66ad937999916d94b2107abe8c17a8c0db5c42dc
              • Instruction Fuzzy Hash: 8A214AB18003199FDB10DFAAC881BEEBBF5FF88310F548429E519A7240C7359945DFA0
              Function 07CFE2B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 215 7cfe2b8-7cfe303 217 7cfe305-7cfe311 215->217 218 7cfe313-7cfe343 Wow64SetThreadContext 215->218 217->218 220 7cfe34c-7cfe37c 218->220 221 7cfe345-7cfe34b 218->221 221->220
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CFE336
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: ea98e6e7344ee8c352fb5925e99964d24fc151ed3ac777734437e30d60396222
              • Instruction ID: d54d7179b930f1051a793fbce946b0a20b0e8a257d643894ec05298ba1c9f1df
              • Opcode Fuzzy Hash: ea98e6e7344ee8c352fb5925e99964d24fc151ed3ac777734437e30d60396222
              • Instruction Fuzzy Hash: AE2147B1D003098FDB10DFAAC485BEEBBF4EF88620F54842ED559A7240CB799945CFA0
              Function 07CFEDB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 225 7cfedb0-7cfee3d ReadProcessMemory 228 7cfee3f-7cfee45 225->228 229 7cfee46-7cfee76 225->229 228->229
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CFEE30
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: fdb273ff0418d4e66bfb5f525bb09db46ebbe6dd982d4993b61824f305c25d53
              • Instruction ID: e48ccffb2573ad479c0270c67910c4980e006a12ecf7f15e7905a8c39f31a01b
              • Opcode Fuzzy Hash: fdb273ff0418d4e66bfb5f525bb09db46ebbe6dd982d4993b61824f305c25d53
              • Instruction Fuzzy Hash: 272128B18003599FDB10DFAAC880BEEBBF5FF48310F548429E559A7250C7799501DBA0
              Function 07CFEBF8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 233 7cfebf8-7cfec7b VirtualAllocEx 237 7cfec7d-7cfec83 233->237 238 7cfec84-7cfeca9 233->238 237->238
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CFEC6E
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 8a5b293ebb4a231955a7c62e1d153537e18feeffd5b996c42d34e3e83560280d
              • Instruction ID: f2208b0e64cd7c49d5522f24ee66b5bd23770433b2e6e0cd0fe32aaf2fcc5afe
              • Opcode Fuzzy Hash: 8a5b293ebb4a231955a7c62e1d153537e18feeffd5b996c42d34e3e83560280d
              • Instruction Fuzzy Hash: AD115C758003499FDF10DFAAC845BDEBFF5AF48320F148419E519A7250C7759940DFA0
              Function 07CFDDC8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 242 7cfddc8-7cfde3f ResumeThread 246 7cfde48-7cfde6d 242->246 247 7cfde41-7cfde47 242->247 247->246
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: f82984091a6cfc6568ab4ad78c84f247c5b0e9938643cef7a912d5b59c2f2d6c
              • Instruction ID: 6e267968d3a7c11257d1658828b4f0b0935666da2d5e02054666a41be233bf1b
              • Opcode Fuzzy Hash: f82984091a6cfc6568ab4ad78c84f247c5b0e9938643cef7a912d5b59c2f2d6c
              • Instruction Fuzzy Hash: 4C115BB19003498FDB14DFAAC4457EEFFF5AF88624F24881DD51AA7240CB759545CFA0
              Function 07CFEC00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 251 7cfec00-7cfec7b VirtualAllocEx 254 7cfec7d-7cfec83 251->254 255 7cfec84-7cfeca9 251->255 254->255
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CFEC6E
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: ea40051eabf31d3ea5fd7ffbdb2c3224baef8320ab7fa789f6142cedc4e526a8
              • Instruction ID: f07ced85181093c44a09812eb012774f85fd76633d1b2a27ebabcd76321d6d39
              • Opcode Fuzzy Hash: ea40051eabf31d3ea5fd7ffbdb2c3224baef8320ab7fa789f6142cedc4e526a8
              • Instruction Fuzzy Hash: 9B1137718003499FDB10DFAAC845BDEBBF5EF88720F148819E519A7250CB769940DFA0
              Function 07CFDDD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 259 7cfddd0-7cfde3f ResumeThread 262 7cfde48-7cfde6d 259->262 263 7cfde41-7cfde47 259->263 263->262
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.1587266648.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7cf0000_Fyepece.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 1118d05ee554f4c9e02ee9286383dca9f9aca20bff1c2e3e0e1a0dd02fdde282
              • Instruction ID: bc269a9e6c6d736493f9a19f3b99c0360803da4c9750139e62069fac366afa8c
              • Opcode Fuzzy Hash: 1118d05ee554f4c9e02ee9286383dca9f9aca20bff1c2e3e0e1a0dd02fdde282
              • Instruction Fuzzy Hash: 1D113AB19003498FDB14DFAAC4457AEFBF5AF88620F248419D51AA7240CB75A945CF94
              Function 0312BA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 267 312ba60-312baa0 268 312baa2-312baa5 267->268 269 312baa8-312bad3 GetModuleHandleW 267->269 268->269 270 312bad5-312badb 269->270 271 312badc-312baf0 269->271 270->271
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0312BAC6
              Memory Dump Source
              • Source File: 0000000C.00000002.1545088065.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_3120000_Fyepece.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 605146ebd58232fa0cad6400f8832a3cd3857c48d73ed42d8885521ca72b253c
              • Instruction ID: f9e5c1a59ec32c860579c49297179bcb7af1d52467d8ebf7875f2139ddcef765
              • Opcode Fuzzy Hash: 605146ebd58232fa0cad6400f8832a3cd3857c48d73ed42d8885521ca72b253c
              • Instruction Fuzzy Hash: 13110FB5C002598FCB10DF9AC444A9EFFF4AB88220F15841AD429A7600C379A545CFA1
              Function 07DC5AE8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 273 7dc5ae8-7dc5b61 274 7dc5b69-7dc5bf0 call 7dc5aa8 273->274 277 7dc5e5c-7dc5e63 274->277 278 7dc5bf6-7dc5bfd 274->278 279 7dc5bff-7dc5c14 278->279 280 7dc5c16-7dc5c1d 278->280 282 7dc5c39-7dc5c40 279->282 281 7dc5c1f-7dc5c30 280->281 280->282 283 7dc5c35-7dc5c37 281->283 284 7dc5c32 281->284 285 7dc5c5a-7dc5c61 282->285 286 7dc5c42-7dc5c58 282->286 283->282 284->283 288 7dc5c70-7dc5c81 285->288 289 7dc5c63-7dc5c6e 285->289 287 7dc5c8b-7dc5c8f 286->287 290 7dc5cb6-7dc5cbd 287->290 291 7dc5c91-7dc5c98 287->291 292 7dc5c86-7dc5c88 288->292 293 7dc5c83 288->293 289->287 296 7dc5cbf-7dc5cc3 290->296 297 7dc5cd3-7dc5cda 290->297 294 7dc5c9a 291->294 295 7dc5ca1-7dc5ca5 291->295 292->287 293->292 298 7dc5cee-7dc5d32 294->298 300 7dc5e38-7dc5e53 294->300 301 7dc5d87-7dc5dd5 294->301 302 7dc5d37-7dc5d82 294->302 295->298 299 7dc5ca7-7dc5cab 295->299 296->302 303 7dc5cc5-7dc5ccc 296->303 304 7dc5dd7-7dc5e1e 297->304 305 7dc5ce0-7dc5ce7 297->305 298->300 306 7dc5e20-7dc5e33 299->306 307 7dc5cb1 299->307 300->277 301->300 302->300 303->298 308 7dc5cce 303->308 304->300 305->302 309 7dc5ce9 305->309 306->300 307->300 308->300 309->298 309->300
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 22b1ccb39e78c0c61ba78543170a98c0133f0ea315682ad47711b98d9c26711d
              • Instruction ID: 8a61bff2a991721e8dd1bd83fc34d1499cd507a43a8420e6df0a868195c9bd9f
              • Opcode Fuzzy Hash: 22b1ccb39e78c0c61ba78543170a98c0133f0ea315682ad47711b98d9c26711d
              • Instruction Fuzzy Hash: C2D1E57591020BCFCF04CFA8D5889EDF7B1FF48314B259659D8066B259DB30AA9ACF90
              Function 07DC5AD9 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 5666b99272425a01cd05d96aca677c3c901d4a760ae586723eabe69b39e1ae43
              • Instruction ID: 3e9d112a6c3a1db93d177c66bdc0cf3b6158370e722bba9c12cd28df1b8c2ee4
              • Opcode Fuzzy Hash: 5666b99272425a01cd05d96aca677c3c901d4a760ae586723eabe69b39e1ae43
              • Instruction Fuzzy Hash: E2A1D97591020ACFCF04DFA8C5849DDF7B1FF58314B219659E806AB259DB30EA9ACF80
              Function 07DC6290 Relevance: .7, Instructions: 726COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b881d249fe9f3746e845b31c85a5d61b5776d3576ffba3d773613137d64c7524
              • Instruction ID: 63988159ed37181b0420581e09dde36611823023778554ece2185f3020538666
              • Opcode Fuzzy Hash: b881d249fe9f3746e845b31c85a5d61b5776d3576ffba3d773613137d64c7524
              • Instruction Fuzzy Hash: 0F72413191061ACFCB14EF68C8996ADBBB1FF45305F108299E549A7265EF30E9C6CF81
              Function 07DC2478 Relevance: .6, Instructions: 551COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7cb8a9d3bc79f2a90e74a6fc1f86fba9a7a10ec0593b5b47dc5c7f1997cae79d
              • Instruction ID: f5fa77136d9c571dc4a49f899b670ab76f60f0b3ee9c307ca5ef9f7f1dcda5d6
              • Opcode Fuzzy Hash: 7cb8a9d3bc79f2a90e74a6fc1f86fba9a7a10ec0593b5b47dc5c7f1997cae79d
              • Instruction Fuzzy Hash: 1642D671E1061ACBCB25DF68C9946DDF7B1FF89300F1086A9D459BB261EB30AA85CF50
              Function 07DC7780 Relevance: .5, Instructions: 500COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12b9f53aa0e6c686407693fb023eda99ed0095192a2d1a1958c42ce417bc4b00
              • Instruction ID: 4ded0e3f1cf48c743c02c8098baf74aff2c6042407fcc961a46e9ae794bee8b3
              • Opcode Fuzzy Hash: 12b9f53aa0e6c686407693fb023eda99ed0095192a2d1a1958c42ce417bc4b00
              • Instruction Fuzzy Hash: 6E221774A10216CFCB14DF69C984BADBBB2BF89310F5485A8E40AAB365DB30ED45CF50
              Function 07DC2468 Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bbb9acc9906f2bea4e73812fb27ba5988a4b13f6beeb4fdb39a361382a86f7a
              • Instruction ID: 0ffcf509b302afd01d487d84534d72e11bc2094bb68f64ef8af2385548d6dffa
              • Opcode Fuzzy Hash: 8bbb9acc9906f2bea4e73812fb27ba5988a4b13f6beeb4fdb39a361382a86f7a
              • Instruction Fuzzy Hash: 2EE10571E1061ACBCB25DF68C9946EDF7B1FF49300F1486A9D459AB261EB30EA81CF50
              Function 07DCAD80 Relevance: .2, Instructions: 183COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6322eef92a961cda28c169c2d1e9ba17c192c4e8098708ef65bff8383bbc6b4e
              • Instruction ID: 045fd0354138d39b3e4d5987ee8ef778824d523512521a03758f2fe923d16660
              • Opcode Fuzzy Hash: 6322eef92a961cda28c169c2d1e9ba17c192c4e8098708ef65bff8383bbc6b4e
              • Instruction Fuzzy Hash: EB715CB1B0061ACFDF14DFA9D8586AEFBB5EF89300F14856DE406A7290EB349945CB90
              Function 07DC4200 Relevance: .2, Instructions: 176COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca655526a17814fe226d525aa62a3c2600e25db82d0efc36ff3f2ad24588fcdc
              • Instruction ID: ae30b48677c7b44972462b331e2485b4d1a03ff21167c8f88204c1caf307c2f9
              • Opcode Fuzzy Hash: ca655526a17814fe226d525aa62a3c2600e25db82d0efc36ff3f2ad24588fcdc
              • Instruction Fuzzy Hash: 5371CDB8600A018FC718DF29C498959BBF2FF8921571589A9E54ACB772DB72EC41CF50
              Function 07DC41F1 Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c045922cadc080ca9c427631cf90a6947dcf44b381b38327b1ea02f7c17c73c5
              • Instruction ID: 64ca31b22a981d5eca8c141dc9010a8d26955183f3f2bdea3f4eea4d259bd6fb
              • Opcode Fuzzy Hash: c045922cadc080ca9c427631cf90a6947dcf44b381b38327b1ea02f7c17c73c5
              • Instruction Fuzzy Hash: 1371DFB9600A018FC718DF29C498A59BBF2FF89214B1589A9E54ACB772DB71EC41CF50
              Function 07DC777B Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a47e6888bcbdbe49ab32ed8e49eee7871ed6abb5aacdda555f4b79c3b6ed336
              • Instruction ID: 7425a47075368460bb09d4d3993ae9c2f94bb88cb6d2842abfc59115094dc2a9
              • Opcode Fuzzy Hash: 4a47e6888bcbdbe49ab32ed8e49eee7871ed6abb5aacdda555f4b79c3b6ed336
              • Instruction Fuzzy Hash: 555158306106028FDB14EF69C898B9DBBF2FF89311F5486BCD5069B3A1DB70A845CB61
              Function 07DC8C84 Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22871ee6c2dda532d349847384ef31c49c080fe1a90e091b2f04663ff1fb377d
              • Instruction ID: 7db2d8eb066825970b7e871b21847b62c2e13e854e40ad131cf0962d1cfa2e65
              • Opcode Fuzzy Hash: 22871ee6c2dda532d349847384ef31c49c080fe1a90e091b2f04663ff1fb377d
              • Instruction Fuzzy Hash: EB516071B002168FCB15DBB9984496EBBF6FFC4220B15856AE419DB351EF70DC068BA1
              Function 07DC0EA8 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84af997af030a1d29e4f57f4f8b704121727e0c0e838bae873b4a99682c89962
              • Instruction ID: 1d5356c0b5895e55aa5f77179ff09a78d26a8cc0541ea8ecb40fcb8cea34f908
              • Opcode Fuzzy Hash: 84af997af030a1d29e4f57f4f8b704121727e0c0e838bae873b4a99682c89962
              • Instruction Fuzzy Hash: 99418531A007199FCF04EF68C9449AEBBF9FF89300F5585ADE445AB211DB34E945CB91
              Function 07DC0A00 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cbcb0b764740d6d3aab5bd2ecf6c809f61d43928e02efcc7ed812db1f6e673ef
              • Instruction ID: 8601e4167a4a33304b6e3eb8ded23490cd33df8bfb052e5affe8f98e07cba531
              • Opcode Fuzzy Hash: cbcb0b764740d6d3aab5bd2ecf6c809f61d43928e02efcc7ed812db1f6e673ef
              • Instruction Fuzzy Hash: BE417FB4A0062BCFCF15DB68DA55AADBBF9EF48714F14412DD800E7350DB759801DBA0
              Function 07DC3103 Relevance: .1, Instructions: 103COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb238137ff24cba8ae01a35c6b629669c25bcbc88aef3b63b0312efdf447d850
              • Instruction ID: 2f88ed81aa155a307cb19ef87fb95fe69b3e7b2ed9580e611bc01d252a1a86ae
              • Opcode Fuzzy Hash: bb238137ff24cba8ae01a35c6b629669c25bcbc88aef3b63b0312efdf447d850
              • Instruction Fuzzy Hash: 88413034A1071ACFCB04EFA8C584ADDFBB6FF85304F008559E515AB325EB71A946CB81
              Function 07DC3110 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e291261d3017d4d8c741c76de1bd678c706c6f36e549c423a5b7eadf993fcc8a
              • Instruction ID: d6ecd844f21f7d33ac06041f52e1c630de7b6f3360e0842e0227ba96b9af2ed4
              • Opcode Fuzzy Hash: e291261d3017d4d8c741c76de1bd678c706c6f36e549c423a5b7eadf993fcc8a
              • Instruction Fuzzy Hash: C8412E34A1071ACFCB04EFA8C9949DDFBB6FF89304F008559E515AB325EB71A946CB81
              Function 07DC9688 Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdd27ed95ede6633121248e90715201af6ea3c823f583efaa622300eeb89eb2a
              • Instruction ID: d2358e87b45d00bd1b290193cc6da82102d30d8605b7e64e7c4c27ca93080f16
              • Opcode Fuzzy Hash: fdd27ed95ede6633121248e90715201af6ea3c823f583efaa622300eeb89eb2a
              • Instruction Fuzzy Hash: B63135B6A14B069FD725DF28D452A56B7F2FB48350F044E2EE0A6CB780D774F8058B90
              Function 07DC3FFF Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5829648e1afa1ca70c1f6cd090c9ac58f72839ebd1f4e4abed3b58fee7873e76
              • Instruction ID: d3b8d7e88727867010a86aaef8f10c5e8c2b9759db756aaf228023673f1532a1
              • Opcode Fuzzy Hash: 5829648e1afa1ca70c1f6cd090c9ac58f72839ebd1f4e4abed3b58fee7873e76
              • Instruction Fuzzy Hash: 9C41F3B4A002468FC714CF68C594A99FFF1FF09310B1986AAE84ADB352D735E885CF90
              Function 07DC11B9 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c03e13d57e60aa5f0c17df246d21c259513ca98a3c531b5ef10cec2894c49c9
              • Instruction ID: 51f810e3d956c2d1d430895caa8ce3d3042402a8051cee7d3073490856bb9150
              • Opcode Fuzzy Hash: 2c03e13d57e60aa5f0c17df246d21c259513ca98a3c531b5ef10cec2894c49c9
              • Instruction Fuzzy Hash: 1E41F675A1020ADFCB40DFA9D88499EFBB5FF49310B14C659E818EB311E770A986CF90
              Function 07DC11C8 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 645d83420b1581b33f4fc1431979b537f2409c0610382b6c0d0ff825c6dc7634
              • Instruction ID: b3207ac10a0ddcf748d084eb2b0647a566e57636dda4805b446772660fcf6d54
              • Opcode Fuzzy Hash: 645d83420b1581b33f4fc1431979b537f2409c0610382b6c0d0ff825c6dc7634
              • Instruction Fuzzy Hash: E341E675A1020ADFCB40DFA9D88499EFBB5FF49310B14C659E918AB311E730A986CF90
              Function 07DC15A8 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ed5e7536647e95b16941d98ec7bde8bd6dfd0ec7806beada96c9e8a62c833f1
              • Instruction ID: 6e938c72d6d9d782efe69d7936553256638130405e6de6788bf39213aac06111
              • Opcode Fuzzy Hash: 3ed5e7536647e95b16941d98ec7bde8bd6dfd0ec7806beada96c9e8a62c833f1
              • Instruction Fuzzy Hash: 122187B23102168FD714DB2DC8946697BE5FF85721B1981B9E109CF3A2DB35DC018B90
              Function 07DC8C34 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e53b093a8060a0bf35c312657dacc6750f8c081cef9db42c09cd07b60c3c7c3
              • Instruction ID: 4eba45983cc49c5c8637770bd4ee99564c98a4f4d8d7e34a647060c8e4388d69
              • Opcode Fuzzy Hash: 2e53b093a8060a0bf35c312657dacc6750f8c081cef9db42c09cd07b60c3c7c3
              • Instruction Fuzzy Hash: 413146743106168FC724DF19C58496ABBF6FF88711B51845EEA46CB761DB32EC41CB50
              Function 07DCA4B8 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf083decaa0f3ef90d1843bab22d815235cbb391a4c6b882f4323eb6b1b3b2ef
              • Instruction ID: 5ed9c6eccddbce9593bef7b3690b6bab7fc0aba34e4288e9494bde4431631d3e
              • Opcode Fuzzy Hash: cf083decaa0f3ef90d1843bab22d815235cbb391a4c6b882f4323eb6b1b3b2ef
              • Instruction Fuzzy Hash: E0316674610626CFCB20DF29C5808AABBF6FF88311751846EEA46CB761DB35EC42CB50
              Function 0150D06C Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518294538.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_150d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5bbc006bfbfa5473e620a79b224afe6a766646dfaae358dfd7cdd8c425c67a5
              • Instruction ID: 7fbd1a5754298b68727540b4e6465462e75d2ec6f09e0d8ada632c0f72c0462e
              • Opcode Fuzzy Hash: a5bbc006bfbfa5473e620a79b224afe6a766646dfaae358dfd7cdd8c425c67a5
              • Instruction Fuzzy Hash: E1212772104200DFDB06DFD4D8C4B2ABBB2FB88314F24C559E9090E286C73AC416CB61
              Function 0151D2F0 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518440904.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_151d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd7ae4576b4dced5f0bf6446c5b724bb3c272aaf97e0fddb4cc8f22606e5d39e
              • Instruction ID: 9b4bb2ec770e199199235f3c5e2a30e8fd209fee64b10850255b357cd8992470
              • Opcode Fuzzy Hash: dd7ae4576b4dced5f0bf6446c5b724bb3c272aaf97e0fddb4cc8f22606e5d39e
              • Instruction Fuzzy Hash: 5421F5B5604304DFEB06DF54D9C8B2ABBB5FB84714F20C96DD8494F24AC33AD446CA61
              Function 0151D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518440904.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_151d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92620340440bae5e7a4d1f266b2af1ce0cf33f761cd8f56de0b7dd86d34eb776
              • Instruction ID: 4eef8da167673b893b1b209f73fc9f71ddc34c4e320240eb6691c3bd06743952
              • Opcode Fuzzy Hash: 92620340440bae5e7a4d1f266b2af1ce0cf33f761cd8f56de0b7dd86d34eb776
              • Instruction Fuzzy Hash: 4521D075604304DFEB16DF54D988B26BBB5FB84314F20C96DD84A4F28AD33AD847CA62
              Function 07DC8C24 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49957ac13811d02217166cd933b105ca6825776803e2045b02f7a184c4385422
              • Instruction ID: b93ea7d914ca42b3795b716ce922f13c7a45e1cce5e026a50403cb54df9a9619
              • Opcode Fuzzy Hash: 49957ac13811d02217166cd933b105ca6825776803e2045b02f7a184c4385422
              • Instruction Fuzzy Hash: A1219FB57002169FCB24DE19C490E6AB7BAFF98B21F11442EE60687B50CB31FC41CB64
              Function 07DC6DD0 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9c3f91df180c357fd0bb2083532c5682be8c27f000877daebd88531dea0d41e
              • Instruction ID: d2bb113ffbac5118e2826db59557420ff2f8fbff1f7869ef5be83f18cbace0ce
              • Opcode Fuzzy Hash: f9c3f91df180c357fd0bb2083532c5682be8c27f000877daebd88531dea0d41e
              • Instruction Fuzzy Hash: 012133759106199FCB10EF6CD940599FBF4FF49310B50C26AE958A7200FB31E998CB91
              Function 07DC8DC8 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b2f9ac57c1e2b2428c7d57018c2ad6a8f6a4dee06acc8798c4ba5822004f82f
              • Instruction ID: 19166be3fc7a58f6f72ea91dc6384db0c405b405592e0b01977b6cbf911e8ede
              • Opcode Fuzzy Hash: 6b2f9ac57c1e2b2428c7d57018c2ad6a8f6a4dee06acc8798c4ba5822004f82f
              • Instruction Fuzzy Hash: DD31DDB0D01219DFDB20DF9AC989B9EBFF5AB48710F24801AE409AB244C7B59845CFA5
              Function 07DC8C18 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 303876f9769c4adc39feb682e3f7e390c3139ceffee91830bb3965d6565ea982
              • Instruction ID: 8c25811b83f3bf49fe76aea0ec2c926b8b93809d641e3040644966b9e95db6d4
              • Opcode Fuzzy Hash: 303876f9769c4adc39feb682e3f7e390c3139ceffee91830bb3965d6565ea982
              • Instruction Fuzzy Hash: 95219FB57042129FCB24DE19C490E6AB7BABF98B20F01441EE95687B60CB31FC40CB65
              Function 07DCBA94 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c77802c7d8b0133566253120f67a61175207081b8da2a30a065019de6ca0e3ba
              • Instruction ID: 0ac30ef22be781d074cedbb57c1a9e6c41336c83f6961aa3e7d16886a820b7fa
              • Opcode Fuzzy Hash: c77802c7d8b0133566253120f67a61175207081b8da2a30a065019de6ca0e3ba
              • Instruction Fuzzy Hash: 6A31CEB1C11319DFDB20DF9AC985B8EBFF5EB48710F24801AE408BB254C7B99845CBA5
              Function 07DC9E51 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d8739702463738d0a970ae4dcb2013b8dc8b6e5fee9e350ab16994a998d7a29
              • Instruction ID: 44ad7c657fa95beb3ee23118c2d29d45d60270f08eaf2e1ab27b271989d429f6
              • Opcode Fuzzy Hash: 4d8739702463738d0a970ae4dcb2013b8dc8b6e5fee9e350ab16994a998d7a29
              • Instruction Fuzzy Hash: EC117FB57042129FCB24CE19C490E6AB7BAFF98B21F11402DE94687B60DB31FC41CB50
              Function 0151D006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518440904.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_151d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05b03aab6aa872618029f49910abfd37cef8adf94442215b53c7d07ff8113b36
              • Instruction ID: ed7e46cd92ef7186c5af215c1e09396f87b1118ac2bcc964ce84bb09b6b0f91b
              • Opcode Fuzzy Hash: 05b03aab6aa872618029f49910abfd37cef8adf94442215b53c7d07ff8113b36
              • Instruction Fuzzy Hash: 65219F755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62
              Function 07DCA418 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86619f07a564a31f1fef2545658d33af44abe11c9b5b66100e19f13fda66795b
              • Instruction ID: 818453594d27d86882fe7e2be51472f92dc4f9a9ea8b4f6b1fb48b4c5b2beec3
              • Opcode Fuzzy Hash: 86619f07a564a31f1fef2545658d33af44abe11c9b5b66100e19f13fda66795b
              • Instruction Fuzzy Hash: 9321DB75E0021A9FCB04DFA9C8849EFFBF5FF98310B10861AE524E7214E7749956CB90
              Function 07DCA420 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 267f03015a5208288ae945f6b73020d055f2eb7847ac510b7476614fb9b9be28
              • Instruction ID: f0d0bc819d3c7f65273c82222cc0d344e793ad1442b57db95927ee9d7a0261f2
              • Opcode Fuzzy Hash: 267f03015a5208288ae945f6b73020d055f2eb7847ac510b7476614fb9b9be28
              • Instruction Fuzzy Hash: F421FC71E0020E9FCB04DFADC8448AFFBF9FF98200B10851AE518E7210E770A956CB90
              Function 0150D067 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518294538.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_150d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b414e8e77cef2b07f6af6975c8f9c9e06390c92f7d1f8eec5b2bf1e8e43ec353
              • Instruction ID: 12c4052647e0a7d19ad27e9599bbc0c6249852164c1e481251179908772fac2a
              • Opcode Fuzzy Hash: b414e8e77cef2b07f6af6975c8f9c9e06390c92f7d1f8eec5b2bf1e8e43ec353
              • Instruction Fuzzy Hash: C9219076504284DFDB06CF94D9C4B1ABF72FB88314F2486A9D9490F256C33AD426CB91
              Function 07DCB408 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e902ab11a587374fcd10198b1af9820f38cdc5ad82bc63b0bc41ef123986ab63
              • Instruction ID: 5af43ad383706df1fd3cf3d3b084e8c62fee67f40def6d14993b512db0c7a461
              • Opcode Fuzzy Hash: e902ab11a587374fcd10198b1af9820f38cdc5ad82bc63b0bc41ef123986ab63
              • Instruction Fuzzy Hash: E3114FB1B0421A8BCB15EBA898515FEBBF6AF89311F14402EC504EB341EB368D01CBE1
              Function 07DC8EA0 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17c425d73737aed407dbbf3f9b0889f28b3765cd52f2f6b7bcd0ea611435abb1
              • Instruction ID: eb68476b7d74041ac2ad2e0bef4c1de58d8d1a772ddd4d447772b13ff19061ac
              • Opcode Fuzzy Hash: 17c425d73737aed407dbbf3f9b0889f28b3765cd52f2f6b7bcd0ea611435abb1
              • Instruction Fuzzy Hash: 79215B72C00B5187DB00DF58D840281B3A5FF94324F19977ACD4D3F306EBB569858BA0
              Function 07DC1ED0 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b8bab74d9b5a147cecbe17e0ae7ea3df63a43d4543c9e6d225fac1074d2ecc7
              • Instruction ID: 428dbfaf3f9d987fc825fb6f10e34b80aff05def7d49d2b27b27bff06fa90f7b
              • Opcode Fuzzy Hash: 0b8bab74d9b5a147cecbe17e0ae7ea3df63a43d4543c9e6d225fac1074d2ecc7
              • Instruction Fuzzy Hash: EE11A5F63502174BD714CB1DC9857697BEAFF85310F1984B9E10ADB362DA79C8418B50
              Function 07DC8EB0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a43da1bf96935f56182d0a8ffb4f777055076442b9b0567d9b0c6569c7b51677
              • Instruction ID: 1b8bae89242e217f11512d8cd852ce960168d3ccb794d114af8af63899601c77
              • Opcode Fuzzy Hash: a43da1bf96935f56182d0a8ffb4f777055076442b9b0567d9b0c6569c7b51677
              • Instruction Fuzzy Hash: 0B115672C00B5287DB10DF69D840681B365FF99324F1996BACD4D3F346EBB6798486A0
              Function 0151D2EB Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518440904.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_151d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
              • Instruction ID: a2bcc407c1a6233e940111ed661a7a12ef97b8f7fa9ffcf3017ca8dc4c9f0f66
              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
              • Instruction Fuzzy Hash: F311BB75504284CFDB06CF58D5C8B19BBB2FB84324F24C6AED8494F29AC33AD40ACB61
              Function 07DC0E99 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b640e2469949a36db7b56b7ba2149ac900aa0e1684e652ac8539c2a522cf383e
              • Instruction ID: c2ea1d86416e1c58ddb9a4923a37261a66d1bfd4f46c76ef58ece61430294dd8
              • Opcode Fuzzy Hash: b640e2469949a36db7b56b7ba2149ac900aa0e1684e652ac8539c2a522cf383e
              • Instruction Fuzzy Hash: 1B11C2B0A11112DFDB08DF14C944D6AF7FAEF88300F15815AE006AB741CB74DC41CBA0
              Function 07DC8BD4 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c5a41c5d33e98fbe2eeb95eef36e12b9b673e780317a461795970896a7986fc
              • Instruction ID: a64b02b6cf2fc8ffac56956bb280d87e528c278180b98f2a3c9b7760cc6207ee
              • Opcode Fuzzy Hash: 0c5a41c5d33e98fbe2eeb95eef36e12b9b673e780317a461795970896a7986fc
              • Instruction Fuzzy Hash: D71104303103218BE704E66894107ABFACBEB85714F50C41DD1898F6C2CFF6A84557A2
              Function 07DC0BB8 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e937157138bc2696d26d1fa8559837349fa076ac5b0752e21ed0c948de2a61a
              • Instruction ID: 9005b60b31262666b1e3e37cafe3efd54cae7fdf2b136e14877840a74c59409f
              • Opcode Fuzzy Hash: 2e937157138bc2696d26d1fa8559837349fa076ac5b0752e21ed0c948de2a61a
              • Instruction Fuzzy Hash: C811E970A00206DFDB14DBA9D558BDEBBF2EF88300F10446CD50597280CF755D45CBA1
              Function 07DC9533 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ac5fc0568400e9a82142084c40f9f20a23cf4106e76ed0be7a1a2c2178c12e0
              • Instruction ID: fdb92cca9fc70873ad6603723e12f1a9ab109c7e78551fde7a1c8061366783af
              • Opcode Fuzzy Hash: 4ac5fc0568400e9a82142084c40f9f20a23cf4106e76ed0be7a1a2c2178c12e0
              • Instruction Fuzzy Hash: FC01D2303003219BE700E668D411BABFACBAB89718F50C51DD1898F7C2CFF6A84557E2
              Function 07DC2377 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee56e2d6bc311b965421e6ca778ce63437fb1144a73396c08cbd05d6b014725d
              • Instruction ID: 4a45792230bc853a6664f4beea23b20bdf5af944f99353ccd76b319e4a6ef331
              • Opcode Fuzzy Hash: ee56e2d6bc311b965421e6ca778ce63437fb1144a73396c08cbd05d6b014725d
              • Instruction Fuzzy Hash: AB116132A047068FCB05EBA8D88089AF7B5FFD5210B41866FD1559B121EF70A995CB91
              Function 07DCF4E6 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6edef696967d2ce177afdf9a7c29643643a7f903fc4f2e0d35a2bad79a29c599
              • Instruction ID: e85b3b1071ac68430b76fa317d0dab2688f237312c83e4b8d53071140b51feff
              • Opcode Fuzzy Hash: 6edef696967d2ce177afdf9a7c29643643a7f903fc4f2e0d35a2bad79a29c599
              • Instruction Fuzzy Hash: EB0156B1D18209CBDB08DFA9D4943EEFBF6EF8A300F10912EE108A7250DB750A018F80
              Function 07DC3B20 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70e6be0d0540fab9abdc7189ec150ffb83033b60ca700c937dab06018b3ef23d
              • Instruction ID: cca7e5ef7ddde61f2bf4f6e026a360a525e1bd57f5d1bf86759fa728bcbfeae9
              • Opcode Fuzzy Hash: 70e6be0d0540fab9abdc7189ec150ffb83033b60ca700c937dab06018b3ef23d
              • Instruction Fuzzy Hash: BE11D671904742DFC706EF78C8105AEBFB1EF82221F0585AEC8855B251DF389482CB93
              Function 0150D92D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518294538.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_150d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f2313fc792439de527f51feb0c89cbc526fdf4842a1e536bd4ec328fc4e810f
              • Instruction ID: 90e2ebb6f04b7fbac0543c7e41afffd624c678beacf01f27e146d158a9ec6824
              • Opcode Fuzzy Hash: 3f2313fc792439de527f51feb0c89cbc526fdf4842a1e536bd4ec328fc4e810f
              • Instruction Fuzzy Hash: 49018F710043489AE7124AE9CD84B6AFFE9FF85625F18C81AED494E2C6C3699840CA72
              Function 07DC3748 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 959ee38198b8200dfc35454e6bf165721a09d7608de48e639570238c6e461acb
              • Instruction ID: cab01ed29869ff70001c3edd5014d84a32ea3ba347a41b84929864db5f8c944d
              • Opcode Fuzzy Hash: 959ee38198b8200dfc35454e6bf165721a09d7608de48e639570238c6e461acb
              • Instruction Fuzzy Hash: 340129B1610706DFC728EF39C44055AB7F6EF86200B50C56ED8869B2A0EB31E945CB52
              Function 07DCABE0 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53e0a3886cfb8317ed9e68b860be671c517a6f34ad744f6b2281b108b946cee4
              • Instruction ID: 10fcb5287a11147194b8907f6e7760bd061b7270efce12cb8990544697f32490
              • Opcode Fuzzy Hash: 53e0a3886cfb8317ed9e68b860be671c517a6f34ad744f6b2281b108b946cee4
              • Instruction Fuzzy Hash: 8901D4353043068FC725DB19D950D26B3AAEFC6215B14C56ED505CB361CB75EC02C754
              Function 07DC0BA8 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8be6aff9dc0fca09276d11731d5b338d39583165a079cb4a2264cf1333f2c4c
              • Instruction ID: 560cb100bf546388460237a519daf09048c547c3178cac8da93bfeda6c96279b
              • Opcode Fuzzy Hash: b8be6aff9dc0fca09276d11731d5b338d39583165a079cb4a2264cf1333f2c4c
              • Instruction Fuzzy Hash: 4E01C070A00306DFE724EBA5C559B9ABBF1AF88300F10842CD1029B681CF755844CBA1
              Function 07DCAD70 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 014736a45ec8e19b3c5a9782841a7e3bc9c580895429002c6fcd1e9e30fe04af
              • Instruction ID: 45cd94e57642a848b6e41267fb0ef2018c7352c5f007e473938d56125328af9a
              • Opcode Fuzzy Hash: 014736a45ec8e19b3c5a9782841a7e3bc9c580895429002c6fcd1e9e30fe04af
              • Instruction Fuzzy Hash: 6601AD75B0021A8FCB04CFA9DC94AAEBBF5FF88251B05847EE905DB365E7389804CB40
              Function 07DCABF0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9220446ce5e59ad7561e551160a3350880c4393b3d8ffe35a2c4473d6f92e17
              • Instruction ID: 4e74f8e6f79bdd4fb4f44579e738291ab82083ab497662e1b18ce1e30814bf54
              • Opcode Fuzzy Hash: f9220446ce5e59ad7561e551160a3350880c4393b3d8ffe35a2c4473d6f92e17
              • Instruction Fuzzy Hash: 400169353143068FC729DB69DA40E26B3AAFFC5225B24C56ED50ACB360DB75EC02CB94
              Function 07DC3738 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b30cae57de8b49b3e0c85d395b9b0f9fd281075e6f2e95e276d6b47dcfd4500
              • Instruction ID: 286f403001cb0d32d71a62de4e99941550eea2836236d2bfe68510038e9e53fc
              • Opcode Fuzzy Hash: 1b30cae57de8b49b3e0c85d395b9b0f9fd281075e6f2e95e276d6b47dcfd4500
              • Instruction Fuzzy Hash: 39015AB1910706CFC724EF75C5406AABBF1EF82300B50C56ED4869B2A0EB35D886CB52
              Function 07DC1588 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f1eb9298f9ff4921ab7079adbbbb48cf9ae3092466fd99449ec6ace92b7eabd
              • Instruction ID: 3ccf22eccaddd8b01d63ca55058ce4df23d6a25cc1a6214a0abc46f1c78b2c6c
              • Opcode Fuzzy Hash: 4f1eb9298f9ff4921ab7079adbbbb48cf9ae3092466fd99449ec6ace92b7eabd
              • Instruction Fuzzy Hash: 00F0BBF132413BCBDB24D92A8854A7AB2E99FC6561B0D412DE503C329DDE22D8468691
              Function 07DC3BB8 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adf89e4b3cd184c506c4f91c65d28973fc15476d960aed3ec3ef1e0898bc5cd7
              • Instruction ID: 328c898928799367cd691c833bdb237cc5f3d188143d3663d675da7ddaefa81e
              • Opcode Fuzzy Hash: adf89e4b3cd184c506c4f91c65d28973fc15476d960aed3ec3ef1e0898bc5cd7
              • Instruction Fuzzy Hash: A7F0C2362007118FC624DB2DE884A1ABFBAEFC9622B50456DE409877A1DF35EC42CB91
              Function 07DC1D5F Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dcd236f370f4644d8f1c1c3c350aef2e26494f3aee84dd9fcd34bb918fff1e4
              • Instruction ID: fce0c7cb673cb910a0a4a4019dc7b3cd9c8ae615e71443c0da0078dba6f2be5a
              • Opcode Fuzzy Hash: 0dcd236f370f4644d8f1c1c3c350aef2e26494f3aee84dd9fcd34bb918fff1e4
              • Instruction Fuzzy Hash: 26F0F6F5310137CBCB24CE259440BB9B3E59F81522B0D012DE403C775ACA39C8538B91
              Function 07DC1CC9 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 114e83361b91188438406d924e949b63b4354274212e7d889fd03617460a5bc2
              • Instruction ID: c5ae49d9f7960db5840e4d2a607908e459ffe092fceae7eb8e1e6386adfc66c1
              • Opcode Fuzzy Hash: 114e83361b91188438406d924e949b63b4354274212e7d889fd03617460a5bc2
              • Instruction Fuzzy Hash: 63F09CF131063BCBC706EB78951466DB6F6DF85511B08407ED505C7396DE3AC842C752
              Function 07DC3F50 Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0ac2a88570a86da9327637299e64a19151661a0154803082824c697d46645a3
              • Instruction ID: be3df9b4698dba65d49d982ad0e19aecf4e2f93e183168acd194f029d5696967
              • Opcode Fuzzy Hash: c0ac2a88570a86da9327637299e64a19151661a0154803082824c697d46645a3
              • Instruction Fuzzy Hash: 74F0BE323007164F8B149F6AE88881ABBEAFFC42213004A3AE50AC7621DF719C0A8790
              Function 07DC9623 Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ee08e148d0fdd2dd115b5e510ba23a210478caf99997ea6ca5c933cf88f7823
              • Instruction ID: 496efa04d73f139b1e87d337c28a8bde75c58bef8d65930710158e541288fc9b
              • Opcode Fuzzy Hash: 9ee08e148d0fdd2dd115b5e510ba23a210478caf99997ea6ca5c933cf88f7823
              • Instruction Fuzzy Hash: 4AF0E2B23143118BDF18D658D423B5AB7DAE784314F20846AE009CF240DAA1EC0347D6
              Function 07DC3B48 Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9eb0d783394921001aebd1d9262f3b7b292f5c2d8a14937f858faaa091c592eb
              • Instruction ID: 606452244dbc0a3b760b53b6d0c26e1f40601b9d40eec7f337b985977968c9f5
              • Opcode Fuzzy Hash: 9eb0d783394921001aebd1d9262f3b7b292f5c2d8a14937f858faaa091c592eb
              • Instruction Fuzzy Hash: EDF06D71A00B06DBCB15BA78C4054AEFB76EFC1621F15866ED8496B200EF30A582C6E3
              Function 0150D92C Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1518294538.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_150d000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa4441a0d641d56d11ef681e2eae80cfaf141b88d2000091e0c2776db65f0fe
              • Instruction ID: 2056908b50044c5c910c91cc3c0bd35e268a93fde946dae578deb02e93dfad57
              • Opcode Fuzzy Hash: 4aa4441a0d641d56d11ef681e2eae80cfaf141b88d2000091e0c2776db65f0fe
              • Instruction Fuzzy Hash: 84F06271404344AEE7118B5ACC84B66FFA9EB45634F18C95AED484E2C7C379A844CA71
              Function 07DC1CD8 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a4d9c84089862a94c10878209e76bbfc1dc2fb1ad35018fcb5c7fba461cd036
              • Instruction ID: 4ac016dde20c617fa698647ae93fc9874a4e1cd25f028455bb428b58459e4c98
              • Opcode Fuzzy Hash: 5a4d9c84089862a94c10878209e76bbfc1dc2fb1ad35018fcb5c7fba461cd036
              • Instruction Fuzzy Hash: 96F054F132053A878B19E629941496DB6BADFC5911B18406DD50687396CE36CC02C7A2
              Function 07DC1119 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0febf92c939dc30bdb54e8631bc1a19bc2808c477980ef149726c5147b4a7e4a
              • Instruction ID: 145e54478af9ed60e3ad3759339609198a3309574936239c8ab30c99a9b6ec1c
              • Opcode Fuzzy Hash: 0febf92c939dc30bdb54e8631bc1a19bc2808c477980ef149726c5147b4a7e4a
              • Instruction Fuzzy Hash: 5001A275D0060ADFCB40EFA8C54599DBBF0EF49210B1585AAE458E7321E7749A54CF81
              Function 07DC97FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51bf29edba93a17c141c0e25bbcdaac797de2deb3660e7beba9ea48c83ef0614
              • Instruction ID: 5086ad87041118b9cd2a1144732a9ee0894235a19229984f6c9f61a0cfa22413
              • Opcode Fuzzy Hash: 51bf29edba93a17c141c0e25bbcdaac797de2deb3660e7beba9ea48c83ef0614
              • Instruction Fuzzy Hash: C6F02B723041915BC702DA1CEC15A8ABFA4EF86334F1941AFD244DB2A3DB609801C391
              Function 07DC3F3F Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26d4ab1a5a86be056cffe3cb510d3b507bdc8d92535587b3c01cd9477bc3efac
              • Instruction ID: 8d16682303fe4353c46886a296cb2f8992101f7c1ad7cbe227aba50295cd2937
              • Opcode Fuzzy Hash: 26d4ab1a5a86be056cffe3cb510d3b507bdc8d92535587b3c01cd9477bc3efac
              • Instruction Fuzzy Hash: AEF0E2723047124FCB059F68E899A5EBBEEFFC4122B00497EE50AC7661DE78DC468741
              Function 07DC1128 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
              • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
              • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
              • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
              Function 07DC9630 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fed54e8aa960db2c66875018b73c8209c3b92a021aa9fb78474a8c24824bbcc4
              • Instruction ID: c74a25017e961522d9f8648f730f71dbfd43d77b8c4685342834d1b195a03c05
              • Opcode Fuzzy Hash: fed54e8aa960db2c66875018b73c8209c3b92a021aa9fb78474a8c24824bbcc4
              • Instruction Fuzzy Hash: 1BF0F8B16147068F9F28CF18D4929957BE5FB45358B20095DE41ACF302D772FD038B88
              Function 07DC3FA9 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 317cbd8c0a4e06aadc64f0f55d2c48b764553aad85ca3682cd63724c00dc92e3
              • Instruction ID: 3a30512bedf010155cb894ea7847c03c00c3d9e1365592f4a5c5f5d547c66bbe
              • Opcode Fuzzy Hash: 317cbd8c0a4e06aadc64f0f55d2c48b764553aad85ca3682cd63724c00dc92e3
              • Instruction Fuzzy Hash: 9FF0F471240651CFC714CF28D5989597BE1FF4971570585ADE40ACB332CB76EC80CB41
              Function 07DCF429 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99200bc1d4bbdcd6f3d20cfbfa15b8d52d5dd63e0d0e66ae5927f0cfaa5449cc
              • Instruction ID: 0deb5d0bd5659dd18a725f12cdeb829165a9ebe57ef6ac1f014f337f50efd5b0
              • Opcode Fuzzy Hash: 99200bc1d4bbdcd6f3d20cfbfa15b8d52d5dd63e0d0e66ae5927f0cfaa5449cc
              • Instruction Fuzzy Hash: 7DF0BEB09092489FC714EB64E445AA9BBB9EB46301F1052A9A80957291CB381902DB00
              Function 07DC3FB8 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d004c7b27d6eb1ef1141ff866420096ac36ebf01029ea1a37ad59ff76c85734e
              • Instruction ID: a740d401bee9e9e4901203f2e7f9e8992359e2ed837071c8fda82879d23e6164
              • Opcode Fuzzy Hash: d004c7b27d6eb1ef1141ff866420096ac36ebf01029ea1a37ad59ff76c85734e
              • Instruction Fuzzy Hash: 43F0D431200610CFC714DB2CD588C597BE9FF49B1971145A9E50ACB732CB72EC40CB80
              Function 07DCF438 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3bbf197f3501c29d96e8ca0de05a7075bd6147a9dcab8fb298eae797bf8d09a
              • Instruction ID: fe759e07fef5e2f72280b34fbd855a9cdd99879f9a2a883d0684efaf9432ca7f
              • Opcode Fuzzy Hash: f3bbf197f3501c29d96e8ca0de05a7075bd6147a9dcab8fb298eae797bf8d09a
              • Instruction Fuzzy Hash: 64F039B5D1920CEFCB44EFA8E445AADFBB9EB4A301F1091A9D809A3350DB385A41DF40
              Function 07DCF3E8 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca57aa8f30f73aea7b4888a890a755f57d8bf1805bc2fdb272c97fd6e09ee542
              • Instruction ID: 6cae96bb93adb37effbdee85d8e8722f4cca0f27251ee28f5b023a185c9975af
              • Opcode Fuzzy Hash: ca57aa8f30f73aea7b4888a890a755f57d8bf1805bc2fdb272c97fd6e09ee542
              • Instruction Fuzzy Hash: 94E026F154C3889BC71AC760C5111AC3F70EF03108F3005C9D408A72528A3A0E07D341
              Function 07DC1C90 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b311d1aba5e558aded4b638457f2a36b59a82bbb5e0ab22ffa736b2732bee06e
              • Instruction ID: f030bf4e8f596cb8f9f3e86a5966ca39851b0e42547d4846e2de52ad072f3034
              • Opcode Fuzzy Hash: b311d1aba5e558aded4b638457f2a36b59a82bbb5e0ab22ffa736b2732bee06e
              • Instruction Fuzzy Hash: 2FE04F707406118FC718CF58E840A9677E1AF847117158A6AE009C7370DA78DC464B40
              Function 07DCF488 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e4692c9ddd485b4648aa4abd0ce161483264a69e21955898e7a4a7246bd84353
              • Instruction ID: f0ccd0ac0329d6587ab03c195264433c5d6af6f32d27198f262df0b254b7f92d
              • Opcode Fuzzy Hash: e4692c9ddd485b4648aa4abd0ce161483264a69e21955898e7a4a7246bd84353
              • Instruction Fuzzy Hash: D1E06DB19083499FDB20DFA8D441ADDBBB0EF41214F2042DAD855A7292CB391A47DB01
              Function 07DCD5BD Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04c2cda6f18b8d5d913f122e29b76f5e3aea6f121c46ef47d1c7e5d562f206cf
              • Instruction ID: c523e229a1ee91efbf5a60dc5642b029f2d4ef78d194f3586479d58b41093a0d
              • Opcode Fuzzy Hash: 04c2cda6f18b8d5d913f122e29b76f5e3aea6f121c46ef47d1c7e5d562f206cf
              • Instruction Fuzzy Hash: 38E0C970A04219CFDB14DBA5D850B9EF6B2BB89200F0090AED146AB254D73459418F61
              Function 07DC94EB Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0bbc6a5466a88281a098fd7e3639f85907945c8d09ed519db6f4e74425f9be6f
              • Instruction ID: c464fee8ae88150b693fad2b207878adfb57fcf7c778d06d59cb419def943dd8
              • Opcode Fuzzy Hash: 0bbc6a5466a88281a098fd7e3639f85907945c8d09ed519db6f4e74425f9be6f
              • Instruction Fuzzy Hash: 2DE0C27A7402104BD3089B88D1107DBBAD78B88340F09803FD10D8B790DAB488014385
              Function 07DCF498 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f2184711c54522638937402bfad8a01288c3a789344dd0678137f37bdf71661
              • Instruction ID: 97761638b38501e361e641c63686e13c95a17e59b8fa5243452b89307bab6089
              • Opcode Fuzzy Hash: 1f2184711c54522638937402bfad8a01288c3a789344dd0678137f37bdf71661
              • Instruction Fuzzy Hash: 03E0B6B5D0420CEFCB54EFA8D54569DBBF4EF48300F1081A9A818A3740DB795A45DF51
              Function 07DC1CA0 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ffd5a0a96046ffcb3cfaa54b557853e76a1364f9d49182172df9397f03bc71b
              • Instruction ID: 82fb9882c7f7d86b73ef2b28e22dd533e704cd1010c66e277b211721a8392736
              • Opcode Fuzzy Hash: 3ffd5a0a96046ffcb3cfaa54b557853e76a1364f9d49182172df9397f03bc71b
              • Instruction Fuzzy Hash: C7D05E703107149FC728DB1CE840C9AB3EAAF8861132486ADF009C7761DB61FC054784
              Function 07DC94F8 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ffe44c6fe29fea1981bed60e3732130e87afec75ab6243b5cb4796876fa162b
              • Instruction ID: 83de5b9d8de070fcb7c472cc817316bafed7bcd37c24df9d805fd402ba74480f
              • Opcode Fuzzy Hash: 1ffe44c6fe29fea1981bed60e3732130e87afec75ab6243b5cb4796876fa162b
              • Instruction Fuzzy Hash: BED05E753042245BC709A64C9010B9BFACF8FCD650F15806FE5098B780DAB19C0003E9
              Function 07DCAB30 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e68a317b684695a3dd6b4f4e259fcd24363743df436cf1f8f5755093693fb1c
              • Instruction ID: 1ac0f59d06a2645d6e8eed80a6f9c7cf697cd2ed378500d305773f9ad3e61f03
              • Opcode Fuzzy Hash: 5e68a317b684695a3dd6b4f4e259fcd24363743df436cf1f8f5755093693fb1c
              • Instruction Fuzzy Hash: A6D017B5641505EFD780DFB0C880E96BBF1EF28320F149129E608CB211D27A8453DF11
              Function 07DC4A0F Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c57be09cd6f0c1f3266f178b9e7faa41e5d417f648917966eac22c486012bdb6
              • Instruction ID: dff7e4907eef4c0107a399e5286fd887dc859645b2267a2566cbf66f8b3ad590
              • Opcode Fuzzy Hash: c57be09cd6f0c1f3266f178b9e7faa41e5d417f648917966eac22c486012bdb6
              • Instruction Fuzzy Hash: 0ED02B7245E3834FD7149F61BC38A39BFA44B02109F1D505EE086C7141E730C401C716
              Function 07DCAD37 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4048187e692ef47bdb2e1d2b57d544691a4b2e65173138d9281db3adc5b21021
              • Instruction ID: 0a7799ce9f11cf372ddd57f587d5a6a3a57181e5cd80bbe98e8475d055fa449b
              • Opcode Fuzzy Hash: 4048187e692ef47bdb2e1d2b57d544691a4b2e65173138d9281db3adc5b21021
              • Instruction Fuzzy Hash: 4ED0A7B39545820BE30CDF25AC4A7CA3BD79B79396F8CC079C50186206E53D418BC642
              Function 07DCF3F8 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6829109f6be63092bff129b61a5c15856536c951ac64edcf3922940cbf1ec409
              • Instruction ID: 3d779549e1c96f27b631a06fc05efcdded4072ea56bd2be5fa410ed74563b9e9
              • Opcode Fuzzy Hash: 6829109f6be63092bff129b61a5c15856536c951ac64edcf3922940cbf1ec409
              • Instruction Fuzzy Hash: D5D05EB0C0420CEBCB04EFA4E545A9DBFB8EB46301F1081A8E80873640CB711E45DB95
              Function 07DC4A20 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 115b1149ef3e7f74c8b79df13d96bea21ccfc3f2ca83dec366912932416f8959
              • Instruction ID: ce3f7dd92a0ceb5a6b7d2fa7a65feb9b4e046e5bc01b7faf8bb0196aca6cf3b3
              • Opcode Fuzzy Hash: 115b1149ef3e7f74c8b79df13d96bea21ccfc3f2ca83dec366912932416f8959
              • Instruction Fuzzy Hash: 98D0227222620B87DB28CBA6B434A39BBAC9F0020CF0C102CF00EC7800FB72E841D204
              Function 07DC9E20 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18bca54824babbaaf1a69573d21b0c2f380cf9fd2352c4021f0cf51bb7ee4e26
              • Instruction ID: 9692830507771ec7f270f03f0ac4c695650bdca107091db06fbfed3662846ab7
              • Opcode Fuzzy Hash: 18bca54824babbaaf1a69573d21b0c2f380cf9fd2352c4021f0cf51bb7ee4e26
              • Instruction Fuzzy Hash: 25D05E33004104AFCB129F90ED00FD9FFA1AF41350F18815DE6040E191D2778553DF40
              Function 07DCD555 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f786e8919b78d6b77345aec2cd7e7e46bfb32747af201f33dfc2454eb58fcd7
              • Instruction ID: bc179020ba7511cbd524b204218c7d12560422d27ddb8bcaced28b8c10b9e3cd
              • Opcode Fuzzy Hash: 5f786e8919b78d6b77345aec2cd7e7e46bfb32747af201f33dfc2454eb58fcd7
              • Instruction Fuzzy Hash: F0D0127091121A8FC794CF65DE80B9CB7B5FF88201F009564D409A3228EB345988CF14
              Function 07DCAB40 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2492d6e2e2df4a365880e72eb70f6d55902aee66bac000484197d1efbbba23f
              • Instruction ID: 4e98b4d76b876bfbae9ad7090df1371954ebbcabcbc5a2d997c1bf0e8f4a9f7a
              • Opcode Fuzzy Hash: a2492d6e2e2df4a365880e72eb70f6d55902aee66bac000484197d1efbbba23f
              • Instruction Fuzzy Hash: 04C01276200208AFDA81AA94C800D56B7A9EB08610F50A004BA080A241C272E862EBA1
              Function 07DC9E30 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7282bd47c7fc59473d99393943301e2e415b0767e717727f804e189d92327ef9
              • Instruction ID: f21f6606406e539828af2572b6f16e40daf9c4796e1806e092511d8f254cf2c4
              • Opcode Fuzzy Hash: 7282bd47c7fc59473d99393943301e2e415b0767e717727f804e189d92327ef9
              • Instruction Fuzzy Hash: DFC00272144208BBCB42AA81D901E5AFF6AEB55694F188059F7040E161D673D962AB91
              Function 07DC8C64 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d80d1e4ae81fc7486c99a6774d8d13bae59ff9356bec9037f008344b5ecfa0e3
              • Instruction ID: b1e44717134c31866621d2aa1a701cae8ca301a656bebd824d8137524d875f7c
              • Opcode Fuzzy Hash: d80d1e4ae81fc7486c99a6774d8d13bae59ff9356bec9037f008344b5ecfa0e3
              • Instruction Fuzzy Hash: 38C04C750152059E8645E75489D5D16BAA5FB95701B809857A14487031CA25C418AB16
              Function 07DCB3CF Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1587356078.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7dc0000_Fyepece.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb13c716f807f7a1c36c1bd719d037d8b2b43391c2e9a37e9aeabafc9421e06e
              • Instruction ID: aff704e999c8a18e2975ea8c0c4527493841e01fce2aa806fbaae2c1a5f89f72
              • Opcode Fuzzy Hash: bb13c716f807f7a1c36c1bd719d037d8b2b43391c2e9a37e9aeabafc9421e06e
              • Instruction Fuzzy Hash: EEC04CB6541502DFD745AF60D980EC27BE1F761315B05C569900097131D67D845BDF12