Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO1038854.exe

Overview

General Information

Sample name:PO1038854.exe
Analysis ID:1522761
MD5:0b8096803c8a92e49a117832e8005e90
SHA1:b897636e60d041c518422da34325c7810c1f3404
SHA256:85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO1038854.exe (PID: 4440 cmdline: "C:\Users\user\Desktop\PO1038854.exe" MD5: 0B8096803C8A92E49A117832E8005E90)
    • powershell.exe (PID: 4896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6516 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • PO1038854.exe (PID: 2936 cmdline: "C:\Users\user\Desktop\PO1038854.exe" MD5: 0B8096803C8A92E49A117832E8005E90)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c060:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1430f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f7e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17a92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: PO1038854.exe PID: 4440JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.PO1038854.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.PO1038854.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f7e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17a92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.PO1038854.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            5.2.PO1038854.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e9e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16c92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO1038854.exe", ParentImage: C:\Users\user\Desktop\PO1038854.exe, ParentProcessId: 4440, ParentProcessName: PO1038854.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", ProcessId: 4896, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO1038854.exe", ParentImage: C:\Users\user\Desktop\PO1038854.exe, ParentProcessId: 4440, ParentProcessName: PO1038854.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", ProcessId: 4896, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO1038854.exe", ParentImage: C:\Users\user\Desktop\PO1038854.exe, ParentProcessId: 4440, ParentProcessName: PO1038854.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe", ProcessId: 4896, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: PO1038854.exeReversingLabs: Detection: 23%
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO1038854.exeJoe Sandbox ML: detected
            Source: PO1038854.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PO1038854.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: PO1038854.exe, 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO1038854.exe, PO1038854.exe, 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp
            Source: PO1038854.exe, 00000000.00000002.2137118655.000000000316E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.PO1038854.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.PO1038854.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large array initializations
            Source: PO1038854.exe, CircularButton.csLarge array initialization: : array initializer size 678416
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_0042CAF3 NtClose,5_2_0042CAF3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01A02DF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01A02C70
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A035C0 NtCreateMutant,LdrInitializeThunk,5_2_01A035C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A04340 NtSetContextThread,5_2_01A04340
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A04650 NtSuspendThread,5_2_01A04650
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02BA0 NtEnumerateValueKey,5_2_01A02BA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02B80 NtQueryInformationFile,5_2_01A02B80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02BE0 NtQueryValueKey,5_2_01A02BE0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02BF0 NtAllocateVirtualMemory,5_2_01A02BF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02B60 NtClose,5_2_01A02B60
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02AB0 NtWaitForSingleObject,5_2_01A02AB0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02AF0 NtWriteFile,5_2_01A02AF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02AD0 NtReadFile,5_2_01A02AD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02DB0 NtEnumerateKey,5_2_01A02DB0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02DD0 NtDelayExecution,5_2_01A02DD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02D30 NtUnmapViewOfSection,5_2_01A02D30
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02D00 NtSetInformationFile,5_2_01A02D00
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02D10 NtMapViewOfSection,5_2_01A02D10
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02CA0 NtQueryInformationToken,5_2_01A02CA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02CF0 NtOpenProcess,5_2_01A02CF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02CC0 NtQueryVirtualMemory,5_2_01A02CC0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02C00 NtQueryInformationProcess,5_2_01A02C00
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02C60 NtCreateKey,5_2_01A02C60
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02FA0 NtQuerySection,5_2_01A02FA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02FB0 NtResumeThread,5_2_01A02FB0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02F90 NtProtectVirtualMemory,5_2_01A02F90
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02FE0 NtCreateFile,5_2_01A02FE0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02F30 NtCreateSection,5_2_01A02F30
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02F60 NtCreateProcessEx,5_2_01A02F60
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02EA0 NtAdjustPrivilegesToken,5_2_01A02EA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02E80 NtReadVirtualMemory,5_2_01A02E80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02EE0 NtQueueApcThread,5_2_01A02EE0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02E30 NtWriteVirtualMemory,5_2_01A02E30
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A03090 NtSetValueKey,5_2_01A03090
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A03010 NtOpenDirectoryObject,5_2_01A03010
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A039B0 NtGetContextThread,5_2_01A039B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A03D10 NtOpenProcessToken,5_2_01A03D10
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A03D70 NtOpenThread,5_2_01A03D70
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072737200_2_07273720
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072727E80_2_072727E8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072700400_2_07270040
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07273F680_2_07273F68
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072737100_2_07273710
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072727D80_2_072727D8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_0727D6700_2_0727D670
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_0727B6F00_2_0727B6F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072725C90_2_072725C9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072725D80_2_072725D8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072744A80_2_072744A8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072744980_2_07274498
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072723680_2_07272368
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072723780_2_07272378
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_0727B2B80_2_0727B2B8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072721C90_2_072721C9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072721D80_2_072721D8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072700060_2_07270006
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072730130_2_07273013
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07270F680_2_07270F68
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07270F580_2_07270F58
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07272F580_2_07272F58
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07273F580_2_07273F58
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_0727AE800_2_0727AE80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_0727BB280_2_0727BB28
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07271B280_2_07271B28
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07271B380_2_07271B38
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07272A300_2_07272A30
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07272A400_2_07272A40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_072719280_2_07271928
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004028005_2_00402800
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004010C05_2_004010C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_0042F0D35_2_0042F0D3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004012105_2_00401210
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004034F55_2_004034F5
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004104A35_2_004104A3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004035005_2_00403500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004025D45_2_004025D4
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004025DC5_2_004025DC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004025E05_2_004025E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00416E035_2_00416E03
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004106C35_2_004106C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_0040E7435_2_0040E743
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00402FCF5_2_00402FCF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00402FD05_2_00402FD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004027F35_2_004027F3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A901AA5_2_01A901AA
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A841A25_2_01A841A2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A881CC5_2_01A881CC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C01005_2_019C0100
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6A1185_2_01A6A118
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A581585_2_01A58158
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A620005_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A903E65_2_01A903E6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE3F05_2_019DE3F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8A3525_2_01A8A352
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A502C05_2_01A502C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A702745_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A905915_2_01A90591
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D05355_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7E4F65_2_01A7E4F6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A744205_2_01A74420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A824465_2_01A82446
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CC7C05_2_019CC7C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F47505_2_019F4750
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D07705_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EC6E05_2_019EC6E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A9A9A65_2_01A9A9A6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A05_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E69625_2_019E6962
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B68B85_2_019B68B8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE8F05_2_019FE8F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DA8405_2_019DA840
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D28405_2_019D2840
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A86BD75_2_01A86BD7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8AB405_2_01A8AB40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA805_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E8DBF5_2_019E8DBF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CADE05_2_019CADE0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DAD005_2_019DAD00
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6CD1F5_2_01A6CD1F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70CB55_2_01A70CB5
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0CF25_2_019C0CF2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0C005_2_019D0C00
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4EFA05_2_01A4EFA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C2FC85_2_019C2FC8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DCFE05_2_019DCFE0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A12F285_2_01A12F28
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A72F305_2_01A72F30
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F0F305_2_019F0F30
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A44F405_2_01A44F40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2E905_2_019E2E90
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8CE935_2_01A8CE93
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8EEDB5_2_01A8EEDB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8EE265_2_01A8EE26
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0E595_2_019D0E59
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DB1B05_2_019DB1B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A9B16B5_2_01A9B16B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0516C5_2_01A0516C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BF1725_2_019BF172
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A870E95_2_01A870E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8F0E05_2_01A8F0E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D70C05_2_019D70C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7F0CC5_2_01A7F0CC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A1739A5_2_01A1739A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8132D5_2_01A8132D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BD34C5_2_019BD34C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D52A05_2_019D52A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A712ED5_2_01A712ED
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EB2C05_2_019EB2C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6D5B05_2_01A6D5B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A995C35_2_01A995C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A875715_2_01A87571
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8F43F5_2_01A8F43F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C14605_2_019C1460
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8F7B05_2_01A8F7B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A816CC5_2_01A816CC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A156305_2_01A15630
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A659105_2_01A65910
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D99505_2_019D9950
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EB9505_2_019EB950
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D38E05_2_019D38E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3D8005_2_01A3D800
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EFB805_2_019EFB80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A45BF05_2_01A45BF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0DBF95_2_01A0DBF9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8FB765_2_01A8FB76
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A15AA05_2_01A15AA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A71AA35_2_01A71AA3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6DAAC5_2_01A6DAAC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7DAC65_2_01A7DAC6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A43A6C5_2_01A43A6C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8FA495_2_01A8FA49
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A87A465_2_01A87A46
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EFDC05_2_019EFDC0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A87D735_2_01A87D73
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D3D405_2_019D3D40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A81D5A5_2_01A81D5A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8FCF25_2_01A8FCF2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A49C325_2_01A49C32
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D1F925_2_019D1F92
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8FFB15_2_01A8FFB1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01993FD25_2_01993FD2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01993FD55_2_01993FD5
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8FF095_2_01A8FF09
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D9EB05_2_019D9EB0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: String function: 01A3EA12 appears 86 times
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: String function: 01A05130 appears 58 times
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: String function: 01A17E54 appears 111 times
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: String function: 019BB970 appears 280 times
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: String function: 01A4F290 appears 105 times
            Source: PO1038854.exe, 00000000.00000002.2151567751.000000000A140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO1038854.exe
            Source: PO1038854.exe, 00000000.00000000.2124136505.0000000000B84000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRjdR.exe@ vs PO1038854.exe
            Source: PO1038854.exe, 00000000.00000002.2136001690.000000000115E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO1038854.exe
            Source: PO1038854.exe, 00000005.00000002.2385119811.0000000001ABD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO1038854.exe
            Source: PO1038854.exeBinary or memory string: OriginalFilenameRjdR.exe@ vs PO1038854.exe
            Source: PO1038854.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5.2.PO1038854.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.PO1038854.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: PO1038854.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, C6p2pqJV2lX1KN4pKa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, C6p2pqJV2lX1KN4pKa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, XhsEuGxgMg3yVMoqO1.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, C6p2pqJV2lX1KN4pKa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/6@0/0
            Source: C:\Users\user\Desktop\PO1038854.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO1038854.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5g0fnvv.pm2.ps1Jump to behavior
            Source: PO1038854.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PO1038854.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\PO1038854.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PO1038854.exeReversingLabs: Detection: 23%
            Source: unknownProcess created: C:\Users\user\Desktop\PO1038854.exe "C:\Users\user\Desktop\PO1038854.exe"
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Users\user\Desktop\PO1038854.exe "C:\Users\user\Desktop\PO1038854.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Users\user\Desktop\PO1038854.exe "C:\Users\user\Desktop\PO1038854.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: PO1038854.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO1038854.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: PO1038854.exe, 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO1038854.exe, PO1038854.exe, 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.PO1038854.exe.3f19c80.2.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO1038854.exe.3f31ea0.0.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, XhsEuGxgMg3yVMoqO1.cs.Net Code: PuapfsrokX System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, XhsEuGxgMg3yVMoqO1.cs.Net Code: PuapfsrokX System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, XhsEuGxgMg3yVMoqO1.cs.Net Code: PuapfsrokX System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PO1038854.exe.7230000.5.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_0727BF50 pushfd ; iretd 0_2_0727BF51
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07276EEC push cs; ret 0_2_07276EEF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 0_2_07533177 push dword ptr [edx+ebp*2-75h]; iretd 0_2_07533187
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_004150A8 push ss; iretd 5_2_004150B9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00414143 push ebp; iretd 5_2_00414189
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00406377 push es; ret 5_2_00406381
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_0041FBDB push ebp; ret 5_2_0041FBDC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00411D04 pushad ; retf 5_2_00411D2D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00403780 push eax; ret 5_2_00403782
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_0199225F pushad ; ret 5_2_019927F9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019927FA pushad ; ret 5_2_019927F9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C09AD push ecx; mov dword ptr [esp], ecx5_2_019C09B6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_0199283D push eax; iretd 5_2_01992858
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01991200 push eax; iretd 5_2_01991369
            Source: PO1038854.exeStatic PE information: section name: .text entropy: 7.870972260343742
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, RLSg2R6IrZ2GD8sVjc.csHigh entropy of concatenated method names: 'U5fcJnbYU5', 'FgrcqVbTRn', 'i92cD0ElnJ', 'ob0crSH0W2', 'KaEcdTMcLH', 'zybceGLCa1', 'Jslcw2f3kC', 'Nc9cObKFJM', 'T3ocKs7hI1', 'wefc4xZdCh'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, gS5KKpZ2WTUXSwwu502.csHigh entropy of concatenated method names: 'jAauIpyItj', 'Iksui9Imgy', 'fNGufsSEqM', 'Gyfu0sUfNb', 'LnGuQ2rJp3', 'd1muWBpRDB', 'LWrumPJE7u', 'PZSuJX58ok', 'om2uqtrhLM', 'qOBu5oOjL5'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, Oex7JwwMJCxfYXMxrL.csHigh entropy of concatenated method names: 't8H8UhtG3f', 'NPm8XHR7PX', 'IaQ8PRDRUj', 'q7DP3y9NTF', 'T6JPzHchyu', 'SAj82TWNjK', 'ToX8ZinR9j', 'QBd8NgbPLY', 'TRd8hQnFvj', 'R5l8pmfenc'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, YHByLgCj8GJmh7Msgn.csHigh entropy of concatenated method names: 'ToString', 'mZut4OUWmn', 'yhKtrYaJ6S', 'g0ftRtJZFS', 'Ru7td9wbAJ', 'fPCtejkKWW', 'XFctBIpm2b', 'J0UtwZsveU', 'EFFtOnaEfM', 'iXotAYpJ3p'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, iAJcic5IQC1sEN6tQ0.csHigh entropy of concatenated method names: 'C8CkQh8ynU', 'EDJkmAGVKv', 'BxHXRMrjyb', 'JiWXdV4hui', 'c5iXeXhWsx', 'XGUXBaSUjw', 'qAYXwYwpvp', 'fa2XOdYNw8', 'jE8XArxu9J', 'Ks3XK6KpKA'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, XZIOZKAQoUDM9A8oeU.csHigh entropy of concatenated method names: 'Dq68IoIbbW', 'ALs8iMSk3P', 'eQi8fo64KI', 'zet80Nu38j', 'F4y8Qe3naQ', 'UNc8Wjw3dZ', 'dCm8mcxjek', 'BDx8JpuLMs', 'gMN8qV9plQ', 'Oad85yi0Ot'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, tgoFEGNSHmepVwhgEo.csHigh entropy of concatenated method names: 'Vbjfw6GR1', 'qer0VQQA9', 'tGlWX6SZR', 'BD7mMdQ3c', 'Aflq2ZNbo', 'jYE5BCHB2', 'u5vLVoTLhV1UqWXUfP', 'OwgEWYSMVX7eHA93h9', 'nL2agPkQF', 'RhhGTZlMD'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, C6p2pqJV2lX1KN4pKa.csHigh entropy of concatenated method names: 'Sm91jd3oRy', 'IZC1s7VXtv', 'ko31CZNHcj', 'fuj1gaF4SS', 'Ps81b3yg6q', 'Yxm1M2Z5Dn', 'pHx1V8OQ2d', 'gIY19eK2ha', 'B7Q1FELsUn', 'tcv13t63wS'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, d8bGjiZhYYG0p7Yq2Vp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CB0GjKojBB', 'hxRGs8wuXj', 'KAqGC3RCCt', 'QMPGgGP3FC', 'rdtGbTsDsr', 'GmTGM5MlF6', 'qhoGVas7xX'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, XhsEuGxgMg3yVMoqO1.csHigh entropy of concatenated method names: 'VHIhnXjO9Q', 'ul0hUVKx9r', 'ncUh1iN8W0', 'mymhXsaa8S', 'NvWhkClvnL', 'dZPhPVfQcy', 'ae6h8NdQud', 'ASShxrUNa2', 'gDVhvRHI4q', 'wa3hltt0ft'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, hiC49dg7ThpoFoYW6F.csHigh entropy of concatenated method names: 'iHg7l2juDc', 'oos7EOEHxZ', 'ToString', 'S0r7U00Fsn', 'uKO71RS1QL', 'BYR7X89jMG', 'DNp7kl2IM6', 'Hxd7PROhLb', 'Evr78AhDMD', 'QFN7xgvXO6'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, VHaWpa9AAOhnegFN3k.csHigh entropy of concatenated method names: 'vH4aUlodM8', 'uYEa1xUh4X', 'zf3aXmBk75', 'E4RakUvqD4', 'pPSaPm7UMi', 'kI4a8UBJG8', 'fY8axeNyXV', 'RNZavuhtrS', 'uv4alIGguA', 'oqUaEv3dji'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, K4FQG6qRQZVKaJn6lH.csHigh entropy of concatenated method names: 'vwgX0U6f4T', 'LtTXWtnudO', 'eYpXJAF300', 'k72XqnLaZ5', 'atBXySlMUM', 'umUXtgugGf', 'rXwX7OlW4q', 'bItXamLvy0', 'FpZXuWflQP', 'NebXGMYjqZ'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, h0Ifh0M4uwrgl7JUXj.csHigh entropy of concatenated method names: 'ytl79NqFRQ', 'Uox73FvsMw', 'ag1a2rtkqH', 'rvwaZrDvqC', 'ELL74pnVOM', 'm6O7T9pHRZ', 'o30768hZFw', 'B1W7jccKC4', 'AZj7sew8n2', 'mVD7CVkWtH'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, M1hlmKFbfSonKR0FL6.csHigh entropy of concatenated method names: 'pGZaDf4rOV', 'pv3arRf4K3', 'yRHaRt71Z2', 'bgvadRfJgG', 'fFAajSisfU', 'gIiaeARWQT', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, v45muV32yLcWxVHmFr.csHigh entropy of concatenated method names: 'vKruZ1lLN5', 'qFruh7OZum', 'PqjupjdjgR', 'wdwuUvqudn', 'ivgu1oTBNs', 'Toauk3FUxD', 'FUMuPnp8Ye', 'NpFaVr9Mxa', 'Kyxa9JnfOg', 'dbJaFKMtDE'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, d7PkgCD1Icfh6t5u0R.csHigh entropy of concatenated method names: 'dJtPnvbdFd', 'MMhP1PvvYa', 'f8PPkEeXc5', 'BOPP8OjeF8', 'h4KPxZMbPg', 'ztQkbg9m7b', 'lUpkMhl4Vx', 'rmEkVKNIp4', 'KkGk9pkCFE', 'swikF6FQfi'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, J2wSlmpLsG1BMrtNTV.csHigh entropy of concatenated method names: 'bpmZ86p2pq', 'V2lZxX1KN4', 'QRQZlZVKaJ', 'e6lZEHPAJc', 'c6tZyQ0p7P', 'igCZt1Icfh', 'HMEJtJj4uhgY2Iw7JY', 'obyBpxfOG6fMawffu1', 'o9hZZnuGWN', 'Q0MZh5Cp8R'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, B6Uu1OZZW8FpZlqQ4RF.csHigh entropy of concatenated method names: 'ToString', 'cqlGhQYePL', 'EUVGpBMv9y', 'OaTGnPoSPN', 'jeXGUuxFdf', 'aVAG1kxNSQ', 'Np2GXqZriE', 'RybGkKXrJ1', 'hDUNjP4mSuENZdUhrkq', 'c6d3rQ4gHQlpjViC8x8'
            Source: 0.2.PO1038854.exe.4980dc0.1.raw.unpack, JwOy8e1Oe81JxxIaL4.csHigh entropy of concatenated method names: 'Dispose', 'uZJZF3ZMEB', 'nxfNrcim0E', 'RjYHHjtPAi', 'zVHZ3aWpaA', 'NOhZznegFN', 'ProcessDialogKey', 'YkAN21hlmK', 'UfSNZonKR0', 'XL6NNo45mu'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, RLSg2R6IrZ2GD8sVjc.csHigh entropy of concatenated method names: 'U5fcJnbYU5', 'FgrcqVbTRn', 'i92cD0ElnJ', 'ob0crSH0W2', 'KaEcdTMcLH', 'zybceGLCa1', 'Jslcw2f3kC', 'Nc9cObKFJM', 'T3ocKs7hI1', 'wefc4xZdCh'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, gS5KKpZ2WTUXSwwu502.csHigh entropy of concatenated method names: 'jAauIpyItj', 'Iksui9Imgy', 'fNGufsSEqM', 'Gyfu0sUfNb', 'LnGuQ2rJp3', 'd1muWBpRDB', 'LWrumPJE7u', 'PZSuJX58ok', 'om2uqtrhLM', 'qOBu5oOjL5'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, Oex7JwwMJCxfYXMxrL.csHigh entropy of concatenated method names: 't8H8UhtG3f', 'NPm8XHR7PX', 'IaQ8PRDRUj', 'q7DP3y9NTF', 'T6JPzHchyu', 'SAj82TWNjK', 'ToX8ZinR9j', 'QBd8NgbPLY', 'TRd8hQnFvj', 'R5l8pmfenc'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, YHByLgCj8GJmh7Msgn.csHigh entropy of concatenated method names: 'ToString', 'mZut4OUWmn', 'yhKtrYaJ6S', 'g0ftRtJZFS', 'Ru7td9wbAJ', 'fPCtejkKWW', 'XFctBIpm2b', 'J0UtwZsveU', 'EFFtOnaEfM', 'iXotAYpJ3p'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, iAJcic5IQC1sEN6tQ0.csHigh entropy of concatenated method names: 'C8CkQh8ynU', 'EDJkmAGVKv', 'BxHXRMrjyb', 'JiWXdV4hui', 'c5iXeXhWsx', 'XGUXBaSUjw', 'qAYXwYwpvp', 'fa2XOdYNw8', 'jE8XArxu9J', 'Ks3XK6KpKA'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, XZIOZKAQoUDM9A8oeU.csHigh entropy of concatenated method names: 'Dq68IoIbbW', 'ALs8iMSk3P', 'eQi8fo64KI', 'zet80Nu38j', 'F4y8Qe3naQ', 'UNc8Wjw3dZ', 'dCm8mcxjek', 'BDx8JpuLMs', 'gMN8qV9plQ', 'Oad85yi0Ot'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, tgoFEGNSHmepVwhgEo.csHigh entropy of concatenated method names: 'Vbjfw6GR1', 'qer0VQQA9', 'tGlWX6SZR', 'BD7mMdQ3c', 'Aflq2ZNbo', 'jYE5BCHB2', 'u5vLVoTLhV1UqWXUfP', 'OwgEWYSMVX7eHA93h9', 'nL2agPkQF', 'RhhGTZlMD'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, C6p2pqJV2lX1KN4pKa.csHigh entropy of concatenated method names: 'Sm91jd3oRy', 'IZC1s7VXtv', 'ko31CZNHcj', 'fuj1gaF4SS', 'Ps81b3yg6q', 'Yxm1M2Z5Dn', 'pHx1V8OQ2d', 'gIY19eK2ha', 'B7Q1FELsUn', 'tcv13t63wS'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, d8bGjiZhYYG0p7Yq2Vp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CB0GjKojBB', 'hxRGs8wuXj', 'KAqGC3RCCt', 'QMPGgGP3FC', 'rdtGbTsDsr', 'GmTGM5MlF6', 'qhoGVas7xX'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, XhsEuGxgMg3yVMoqO1.csHigh entropy of concatenated method names: 'VHIhnXjO9Q', 'ul0hUVKx9r', 'ncUh1iN8W0', 'mymhXsaa8S', 'NvWhkClvnL', 'dZPhPVfQcy', 'ae6h8NdQud', 'ASShxrUNa2', 'gDVhvRHI4q', 'wa3hltt0ft'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, hiC49dg7ThpoFoYW6F.csHigh entropy of concatenated method names: 'iHg7l2juDc', 'oos7EOEHxZ', 'ToString', 'S0r7U00Fsn', 'uKO71RS1QL', 'BYR7X89jMG', 'DNp7kl2IM6', 'Hxd7PROhLb', 'Evr78AhDMD', 'QFN7xgvXO6'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, VHaWpa9AAOhnegFN3k.csHigh entropy of concatenated method names: 'vH4aUlodM8', 'uYEa1xUh4X', 'zf3aXmBk75', 'E4RakUvqD4', 'pPSaPm7UMi', 'kI4a8UBJG8', 'fY8axeNyXV', 'RNZavuhtrS', 'uv4alIGguA', 'oqUaEv3dji'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, K4FQG6qRQZVKaJn6lH.csHigh entropy of concatenated method names: 'vwgX0U6f4T', 'LtTXWtnudO', 'eYpXJAF300', 'k72XqnLaZ5', 'atBXySlMUM', 'umUXtgugGf', 'rXwX7OlW4q', 'bItXamLvy0', 'FpZXuWflQP', 'NebXGMYjqZ'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, h0Ifh0M4uwrgl7JUXj.csHigh entropy of concatenated method names: 'ytl79NqFRQ', 'Uox73FvsMw', 'ag1a2rtkqH', 'rvwaZrDvqC', 'ELL74pnVOM', 'm6O7T9pHRZ', 'o30768hZFw', 'B1W7jccKC4', 'AZj7sew8n2', 'mVD7CVkWtH'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, M1hlmKFbfSonKR0FL6.csHigh entropy of concatenated method names: 'pGZaDf4rOV', 'pv3arRf4K3', 'yRHaRt71Z2', 'bgvadRfJgG', 'fFAajSisfU', 'gIiaeARWQT', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, v45muV32yLcWxVHmFr.csHigh entropy of concatenated method names: 'vKruZ1lLN5', 'qFruh7OZum', 'PqjupjdjgR', 'wdwuUvqudn', 'ivgu1oTBNs', 'Toauk3FUxD', 'FUMuPnp8Ye', 'NpFaVr9Mxa', 'Kyxa9JnfOg', 'dbJaFKMtDE'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, d7PkgCD1Icfh6t5u0R.csHigh entropy of concatenated method names: 'dJtPnvbdFd', 'MMhP1PvvYa', 'f8PPkEeXc5', 'BOPP8OjeF8', 'h4KPxZMbPg', 'ztQkbg9m7b', 'lUpkMhl4Vx', 'rmEkVKNIp4', 'KkGk9pkCFE', 'swikF6FQfi'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, J2wSlmpLsG1BMrtNTV.csHigh entropy of concatenated method names: 'bpmZ86p2pq', 'V2lZxX1KN4', 'QRQZlZVKaJ', 'e6lZEHPAJc', 'c6tZyQ0p7P', 'igCZt1Icfh', 'HMEJtJj4uhgY2Iw7JY', 'obyBpxfOG6fMawffu1', 'o9hZZnuGWN', 'Q0MZh5Cp8R'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, B6Uu1OZZW8FpZlqQ4RF.csHigh entropy of concatenated method names: 'ToString', 'cqlGhQYePL', 'EUVGpBMv9y', 'OaTGnPoSPN', 'jeXGUuxFdf', 'aVAG1kxNSQ', 'Np2GXqZriE', 'RybGkKXrJ1', 'hDUNjP4mSuENZdUhrkq', 'c6d3rQ4gHQlpjViC8x8'
            Source: 0.2.PO1038854.exe.a140000.6.raw.unpack, JwOy8e1Oe81JxxIaL4.csHigh entropy of concatenated method names: 'Dispose', 'uZJZF3ZMEB', 'nxfNrcim0E', 'RjYHHjtPAi', 'zVHZ3aWpaA', 'NOhZznegFN', 'ProcessDialogKey', 'YkAN21hlmK', 'UfSNZonKR0', 'XL6NNo45mu'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, RLSg2R6IrZ2GD8sVjc.csHigh entropy of concatenated method names: 'U5fcJnbYU5', 'FgrcqVbTRn', 'i92cD0ElnJ', 'ob0crSH0W2', 'KaEcdTMcLH', 'zybceGLCa1', 'Jslcw2f3kC', 'Nc9cObKFJM', 'T3ocKs7hI1', 'wefc4xZdCh'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, gS5KKpZ2WTUXSwwu502.csHigh entropy of concatenated method names: 'jAauIpyItj', 'Iksui9Imgy', 'fNGufsSEqM', 'Gyfu0sUfNb', 'LnGuQ2rJp3', 'd1muWBpRDB', 'LWrumPJE7u', 'PZSuJX58ok', 'om2uqtrhLM', 'qOBu5oOjL5'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, Oex7JwwMJCxfYXMxrL.csHigh entropy of concatenated method names: 't8H8UhtG3f', 'NPm8XHR7PX', 'IaQ8PRDRUj', 'q7DP3y9NTF', 'T6JPzHchyu', 'SAj82TWNjK', 'ToX8ZinR9j', 'QBd8NgbPLY', 'TRd8hQnFvj', 'R5l8pmfenc'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, YHByLgCj8GJmh7Msgn.csHigh entropy of concatenated method names: 'ToString', 'mZut4OUWmn', 'yhKtrYaJ6S', 'g0ftRtJZFS', 'Ru7td9wbAJ', 'fPCtejkKWW', 'XFctBIpm2b', 'J0UtwZsveU', 'EFFtOnaEfM', 'iXotAYpJ3p'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, iAJcic5IQC1sEN6tQ0.csHigh entropy of concatenated method names: 'C8CkQh8ynU', 'EDJkmAGVKv', 'BxHXRMrjyb', 'JiWXdV4hui', 'c5iXeXhWsx', 'XGUXBaSUjw', 'qAYXwYwpvp', 'fa2XOdYNw8', 'jE8XArxu9J', 'Ks3XK6KpKA'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, XZIOZKAQoUDM9A8oeU.csHigh entropy of concatenated method names: 'Dq68IoIbbW', 'ALs8iMSk3P', 'eQi8fo64KI', 'zet80Nu38j', 'F4y8Qe3naQ', 'UNc8Wjw3dZ', 'dCm8mcxjek', 'BDx8JpuLMs', 'gMN8qV9plQ', 'Oad85yi0Ot'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, tgoFEGNSHmepVwhgEo.csHigh entropy of concatenated method names: 'Vbjfw6GR1', 'qer0VQQA9', 'tGlWX6SZR', 'BD7mMdQ3c', 'Aflq2ZNbo', 'jYE5BCHB2', 'u5vLVoTLhV1UqWXUfP', 'OwgEWYSMVX7eHA93h9', 'nL2agPkQF', 'RhhGTZlMD'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, C6p2pqJV2lX1KN4pKa.csHigh entropy of concatenated method names: 'Sm91jd3oRy', 'IZC1s7VXtv', 'ko31CZNHcj', 'fuj1gaF4SS', 'Ps81b3yg6q', 'Yxm1M2Z5Dn', 'pHx1V8OQ2d', 'gIY19eK2ha', 'B7Q1FELsUn', 'tcv13t63wS'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, d8bGjiZhYYG0p7Yq2Vp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CB0GjKojBB', 'hxRGs8wuXj', 'KAqGC3RCCt', 'QMPGgGP3FC', 'rdtGbTsDsr', 'GmTGM5MlF6', 'qhoGVas7xX'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, XhsEuGxgMg3yVMoqO1.csHigh entropy of concatenated method names: 'VHIhnXjO9Q', 'ul0hUVKx9r', 'ncUh1iN8W0', 'mymhXsaa8S', 'NvWhkClvnL', 'dZPhPVfQcy', 'ae6h8NdQud', 'ASShxrUNa2', 'gDVhvRHI4q', 'wa3hltt0ft'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, hiC49dg7ThpoFoYW6F.csHigh entropy of concatenated method names: 'iHg7l2juDc', 'oos7EOEHxZ', 'ToString', 'S0r7U00Fsn', 'uKO71RS1QL', 'BYR7X89jMG', 'DNp7kl2IM6', 'Hxd7PROhLb', 'Evr78AhDMD', 'QFN7xgvXO6'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, VHaWpa9AAOhnegFN3k.csHigh entropy of concatenated method names: 'vH4aUlodM8', 'uYEa1xUh4X', 'zf3aXmBk75', 'E4RakUvqD4', 'pPSaPm7UMi', 'kI4a8UBJG8', 'fY8axeNyXV', 'RNZavuhtrS', 'uv4alIGguA', 'oqUaEv3dji'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, K4FQG6qRQZVKaJn6lH.csHigh entropy of concatenated method names: 'vwgX0U6f4T', 'LtTXWtnudO', 'eYpXJAF300', 'k72XqnLaZ5', 'atBXySlMUM', 'umUXtgugGf', 'rXwX7OlW4q', 'bItXamLvy0', 'FpZXuWflQP', 'NebXGMYjqZ'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, h0Ifh0M4uwrgl7JUXj.csHigh entropy of concatenated method names: 'ytl79NqFRQ', 'Uox73FvsMw', 'ag1a2rtkqH', 'rvwaZrDvqC', 'ELL74pnVOM', 'm6O7T9pHRZ', 'o30768hZFw', 'B1W7jccKC4', 'AZj7sew8n2', 'mVD7CVkWtH'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, M1hlmKFbfSonKR0FL6.csHigh entropy of concatenated method names: 'pGZaDf4rOV', 'pv3arRf4K3', 'yRHaRt71Z2', 'bgvadRfJgG', 'fFAajSisfU', 'gIiaeARWQT', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, v45muV32yLcWxVHmFr.csHigh entropy of concatenated method names: 'vKruZ1lLN5', 'qFruh7OZum', 'PqjupjdjgR', 'wdwuUvqudn', 'ivgu1oTBNs', 'Toauk3FUxD', 'FUMuPnp8Ye', 'NpFaVr9Mxa', 'Kyxa9JnfOg', 'dbJaFKMtDE'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, d7PkgCD1Icfh6t5u0R.csHigh entropy of concatenated method names: 'dJtPnvbdFd', 'MMhP1PvvYa', 'f8PPkEeXc5', 'BOPP8OjeF8', 'h4KPxZMbPg', 'ztQkbg9m7b', 'lUpkMhl4Vx', 'rmEkVKNIp4', 'KkGk9pkCFE', 'swikF6FQfi'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, J2wSlmpLsG1BMrtNTV.csHigh entropy of concatenated method names: 'bpmZ86p2pq', 'V2lZxX1KN4', 'QRQZlZVKaJ', 'e6lZEHPAJc', 'c6tZyQ0p7P', 'igCZt1Icfh', 'HMEJtJj4uhgY2Iw7JY', 'obyBpxfOG6fMawffu1', 'o9hZZnuGWN', 'Q0MZh5Cp8R'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, B6Uu1OZZW8FpZlqQ4RF.csHigh entropy of concatenated method names: 'ToString', 'cqlGhQYePL', 'EUVGpBMv9y', 'OaTGnPoSPN', 'jeXGUuxFdf', 'aVAG1kxNSQ', 'Np2GXqZriE', 'RybGkKXrJ1', 'hDUNjP4mSuENZdUhrkq', 'c6d3rQ4gHQlpjViC8x8'
            Source: 0.2.PO1038854.exe.4a08fe0.3.raw.unpack, JwOy8e1Oe81JxxIaL4.csHigh entropy of concatenated method names: 'Dispose', 'uZJZF3ZMEB', 'nxfNrcim0E', 'RjYHHjtPAi', 'zVHZ3aWpaA', 'NOhZznegFN', 'ProcessDialogKey', 'YkAN21hlmK', 'UfSNZonKR0', 'XL6NNo45mu'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: PO1038854.exe PID: 4440, type: MEMORYSTR
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 7A90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 8A90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 8C30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: 9C30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: A1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: B1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: C1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0096E rdtsc 5_2_01A0096E
            Source: C:\Users\user\Desktop\PO1038854.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6802Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1370Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\PO1038854.exe TID: 6236Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6112Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exe TID: 4568Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO1038854.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0096E rdtsc 5_2_01A0096E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_00417DB3 LdrLoadDll,5_2_00417DB3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BA197 mov eax, dword ptr fs:[00000030h]5_2_019BA197
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BA197 mov eax, dword ptr fs:[00000030h]5_2_019BA197
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BA197 mov eax, dword ptr fs:[00000030h]5_2_019BA197
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A00185 mov eax, dword ptr fs:[00000030h]5_2_01A00185
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A64180 mov eax, dword ptr fs:[00000030h]5_2_01A64180
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A64180 mov eax, dword ptr fs:[00000030h]5_2_01A64180
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7C188 mov eax, dword ptr fs:[00000030h]5_2_01A7C188
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7C188 mov eax, dword ptr fs:[00000030h]5_2_01A7C188
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4019F mov eax, dword ptr fs:[00000030h]5_2_01A4019F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4019F mov eax, dword ptr fs:[00000030h]5_2_01A4019F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4019F mov eax, dword ptr fs:[00000030h]5_2_01A4019F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4019F mov eax, dword ptr fs:[00000030h]5_2_01A4019F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A961E5 mov eax, dword ptr fs:[00000030h]5_2_01A961E5
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F01F8 mov eax, dword ptr fs:[00000030h]5_2_019F01F8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A861C3 mov eax, dword ptr fs:[00000030h]5_2_01A861C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A861C3 mov eax, dword ptr fs:[00000030h]5_2_01A861C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]5_2_01A3E1D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]5_2_01A3E1D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E1D0 mov ecx, dword ptr fs:[00000030h]5_2_01A3E1D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]5_2_01A3E1D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]5_2_01A3E1D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov eax, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov ecx, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov eax, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov eax, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov ecx, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov eax, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov eax, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov ecx, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov eax, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E10E mov ecx, dword ptr fs:[00000030h]5_2_01A6E10E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F0124 mov eax, dword ptr fs:[00000030h]5_2_019F0124
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A80115 mov eax, dword ptr fs:[00000030h]5_2_01A80115
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6A118 mov ecx, dword ptr fs:[00000030h]5_2_01A6A118
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6A118 mov eax, dword ptr fs:[00000030h]5_2_01A6A118
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6A118 mov eax, dword ptr fs:[00000030h]5_2_01A6A118
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6A118 mov eax, dword ptr fs:[00000030h]5_2_01A6A118
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C6154 mov eax, dword ptr fs:[00000030h]5_2_019C6154
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C6154 mov eax, dword ptr fs:[00000030h]5_2_019C6154
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BC156 mov eax, dword ptr fs:[00000030h]5_2_019BC156
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94164 mov eax, dword ptr fs:[00000030h]5_2_01A94164
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94164 mov eax, dword ptr fs:[00000030h]5_2_01A94164
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A54144 mov eax, dword ptr fs:[00000030h]5_2_01A54144
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A54144 mov eax, dword ptr fs:[00000030h]5_2_01A54144
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A54144 mov ecx, dword ptr fs:[00000030h]5_2_01A54144
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A54144 mov eax, dword ptr fs:[00000030h]5_2_01A54144
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A54144 mov eax, dword ptr fs:[00000030h]5_2_01A54144
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A58158 mov eax, dword ptr fs:[00000030h]5_2_01A58158
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A580A8 mov eax, dword ptr fs:[00000030h]5_2_01A580A8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A860B8 mov eax, dword ptr fs:[00000030h]5_2_01A860B8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A860B8 mov ecx, dword ptr fs:[00000030h]5_2_01A860B8
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C208A mov eax, dword ptr fs:[00000030h]5_2_019C208A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B80A0 mov eax, dword ptr fs:[00000030h]5_2_019B80A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A460E0 mov eax, dword ptr fs:[00000030h]5_2_01A460E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A020F0 mov ecx, dword ptr fs:[00000030h]5_2_01A020F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BC0F0 mov eax, dword ptr fs:[00000030h]5_2_019BC0F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C80E9 mov eax, dword ptr fs:[00000030h]5_2_019C80E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BA0E3 mov ecx, dword ptr fs:[00000030h]5_2_019BA0E3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A420DE mov eax, dword ptr fs:[00000030h]5_2_01A420DE
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE016 mov eax, dword ptr fs:[00000030h]5_2_019DE016
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE016 mov eax, dword ptr fs:[00000030h]5_2_019DE016
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE016 mov eax, dword ptr fs:[00000030h]5_2_019DE016
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE016 mov eax, dword ptr fs:[00000030h]5_2_019DE016
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A56030 mov eax, dword ptr fs:[00000030h]5_2_01A56030
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A44000 mov ecx, dword ptr fs:[00000030h]5_2_01A44000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A62000 mov eax, dword ptr fs:[00000030h]5_2_01A62000
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BA020 mov eax, dword ptr fs:[00000030h]5_2_019BA020
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BC020 mov eax, dword ptr fs:[00000030h]5_2_019BC020
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C2050 mov eax, dword ptr fs:[00000030h]5_2_019C2050
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EC073 mov eax, dword ptr fs:[00000030h]5_2_019EC073
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46050 mov eax, dword ptr fs:[00000030h]5_2_01A46050
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B8397 mov eax, dword ptr fs:[00000030h]5_2_019B8397
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B8397 mov eax, dword ptr fs:[00000030h]5_2_019B8397
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B8397 mov eax, dword ptr fs:[00000030h]5_2_019B8397
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E438F mov eax, dword ptr fs:[00000030h]5_2_019E438F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E438F mov eax, dword ptr fs:[00000030h]5_2_019E438F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BE388 mov eax, dword ptr fs:[00000030h]5_2_019BE388
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BE388 mov eax, dword ptr fs:[00000030h]5_2_019BE388
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BE388 mov eax, dword ptr fs:[00000030h]5_2_019BE388
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA3C0 mov eax, dword ptr fs:[00000030h]5_2_019CA3C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA3C0 mov eax, dword ptr fs:[00000030h]5_2_019CA3C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA3C0 mov eax, dword ptr fs:[00000030h]5_2_019CA3C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA3C0 mov eax, dword ptr fs:[00000030h]5_2_019CA3C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA3C0 mov eax, dword ptr fs:[00000030h]5_2_019CA3C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA3C0 mov eax, dword ptr fs:[00000030h]5_2_019CA3C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C83C0 mov eax, dword ptr fs:[00000030h]5_2_019C83C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C83C0 mov eax, dword ptr fs:[00000030h]5_2_019C83C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C83C0 mov eax, dword ptr fs:[00000030h]5_2_019C83C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C83C0 mov eax, dword ptr fs:[00000030h]5_2_019C83C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F63FF mov eax, dword ptr fs:[00000030h]5_2_019F63FF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A463C0 mov eax, dword ptr fs:[00000030h]5_2_01A463C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7C3CD mov eax, dword ptr fs:[00000030h]5_2_01A7C3CD
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE3F0 mov eax, dword ptr fs:[00000030h]5_2_019DE3F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE3F0 mov eax, dword ptr fs:[00000030h]5_2_019DE3F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE3F0 mov eax, dword ptr fs:[00000030h]5_2_019DE3F0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A643D4 mov eax, dword ptr fs:[00000030h]5_2_01A643D4
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A643D4 mov eax, dword ptr fs:[00000030h]5_2_01A643D4
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D03E9 mov eax, dword ptr fs:[00000030h]5_2_019D03E9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E3DB mov eax, dword ptr fs:[00000030h]5_2_01A6E3DB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E3DB mov eax, dword ptr fs:[00000030h]5_2_01A6E3DB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E3DB mov ecx, dword ptr fs:[00000030h]5_2_01A6E3DB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6E3DB mov eax, dword ptr fs:[00000030h]5_2_01A6E3DB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BC310 mov ecx, dword ptr fs:[00000030h]5_2_019BC310
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A98324 mov eax, dword ptr fs:[00000030h]5_2_01A98324
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A98324 mov ecx, dword ptr fs:[00000030h]5_2_01A98324
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A98324 mov eax, dword ptr fs:[00000030h]5_2_01A98324
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A98324 mov eax, dword ptr fs:[00000030h]5_2_01A98324
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E0310 mov ecx, dword ptr fs:[00000030h]5_2_019E0310
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA30B mov eax, dword ptr fs:[00000030h]5_2_019FA30B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA30B mov eax, dword ptr fs:[00000030h]5_2_019FA30B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA30B mov eax, dword ptr fs:[00000030h]5_2_019FA30B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6437C mov eax, dword ptr fs:[00000030h]5_2_01A6437C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A9634F mov eax, dword ptr fs:[00000030h]5_2_01A9634F
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A42349 mov eax, dword ptr fs:[00000030h]5_2_01A42349
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A68350 mov ecx, dword ptr fs:[00000030h]5_2_01A68350
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4035C mov eax, dword ptr fs:[00000030h]5_2_01A4035C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4035C mov eax, dword ptr fs:[00000030h]5_2_01A4035C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4035C mov eax, dword ptr fs:[00000030h]5_2_01A4035C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4035C mov ecx, dword ptr fs:[00000030h]5_2_01A4035C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4035C mov eax, dword ptr fs:[00000030h]5_2_01A4035C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4035C mov eax, dword ptr fs:[00000030h]5_2_01A4035C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8A352 mov eax, dword ptr fs:[00000030h]5_2_01A8A352
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A562A0 mov eax, dword ptr fs:[00000030h]5_2_01A562A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A562A0 mov ecx, dword ptr fs:[00000030h]5_2_01A562A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A562A0 mov eax, dword ptr fs:[00000030h]5_2_01A562A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A562A0 mov eax, dword ptr fs:[00000030h]5_2_01A562A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A562A0 mov eax, dword ptr fs:[00000030h]5_2_01A562A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A562A0 mov eax, dword ptr fs:[00000030h]5_2_01A562A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE284 mov eax, dword ptr fs:[00000030h]5_2_019FE284
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE284 mov eax, dword ptr fs:[00000030h]5_2_019FE284
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A40283 mov eax, dword ptr fs:[00000030h]5_2_01A40283
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A40283 mov eax, dword ptr fs:[00000030h]5_2_01A40283
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A40283 mov eax, dword ptr fs:[00000030h]5_2_01A40283
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA2C3 mov eax, dword ptr fs:[00000030h]5_2_019CA2C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA2C3 mov eax, dword ptr fs:[00000030h]5_2_019CA2C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA2C3 mov eax, dword ptr fs:[00000030h]5_2_019CA2C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA2C3 mov eax, dword ptr fs:[00000030h]5_2_019CA2C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA2C3 mov eax, dword ptr fs:[00000030h]5_2_019CA2C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D02E1 mov eax, dword ptr fs:[00000030h]5_2_019D02E1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D02E1 mov eax, dword ptr fs:[00000030h]5_2_019D02E1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D02E1 mov eax, dword ptr fs:[00000030h]5_2_019D02E1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A962D6 mov eax, dword ptr fs:[00000030h]5_2_01A962D6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B823B mov eax, dword ptr fs:[00000030h]5_2_019B823B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C6259 mov eax, dword ptr fs:[00000030h]5_2_019C6259
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BA250 mov eax, dword ptr fs:[00000030h]5_2_019BA250
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A70274 mov eax, dword ptr fs:[00000030h]5_2_01A70274
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A48243 mov eax, dword ptr fs:[00000030h]5_2_01A48243
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A48243 mov ecx, dword ptr fs:[00000030h]5_2_01A48243
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B826B mov eax, dword ptr fs:[00000030h]5_2_019B826B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A9625D mov eax, dword ptr fs:[00000030h]5_2_01A9625D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7A250 mov eax, dword ptr fs:[00000030h]5_2_01A7A250
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7A250 mov eax, dword ptr fs:[00000030h]5_2_01A7A250
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4260 mov eax, dword ptr fs:[00000030h]5_2_019C4260
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4260 mov eax, dword ptr fs:[00000030h]5_2_019C4260
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4260 mov eax, dword ptr fs:[00000030h]5_2_019C4260
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE59C mov eax, dword ptr fs:[00000030h]5_2_019FE59C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A405A7 mov eax, dword ptr fs:[00000030h]5_2_01A405A7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A405A7 mov eax, dword ptr fs:[00000030h]5_2_01A405A7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A405A7 mov eax, dword ptr fs:[00000030h]5_2_01A405A7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F4588 mov eax, dword ptr fs:[00000030h]5_2_019F4588
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C2582 mov eax, dword ptr fs:[00000030h]5_2_019C2582
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C2582 mov ecx, dword ptr fs:[00000030h]5_2_019C2582
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E45B1 mov eax, dword ptr fs:[00000030h]5_2_019E45B1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E45B1 mov eax, dword ptr fs:[00000030h]5_2_019E45B1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C65D0 mov eax, dword ptr fs:[00000030h]5_2_019C65D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA5D0 mov eax, dword ptr fs:[00000030h]5_2_019FA5D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA5D0 mov eax, dword ptr fs:[00000030h]5_2_019FA5D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE5CF mov eax, dword ptr fs:[00000030h]5_2_019FE5CF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE5CF mov eax, dword ptr fs:[00000030h]5_2_019FE5CF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC5ED mov eax, dword ptr fs:[00000030h]5_2_019FC5ED
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC5ED mov eax, dword ptr fs:[00000030h]5_2_019FC5ED
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE5E7 mov eax, dword ptr fs:[00000030h]5_2_019EE5E7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C25E0 mov eax, dword ptr fs:[00000030h]5_2_019C25E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE53E mov eax, dword ptr fs:[00000030h]5_2_019EE53E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE53E mov eax, dword ptr fs:[00000030h]5_2_019EE53E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE53E mov eax, dword ptr fs:[00000030h]5_2_019EE53E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE53E mov eax, dword ptr fs:[00000030h]5_2_019EE53E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE53E mov eax, dword ptr fs:[00000030h]5_2_019EE53E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A56500 mov eax, dword ptr fs:[00000030h]5_2_01A56500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0535 mov eax, dword ptr fs:[00000030h]5_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0535 mov eax, dword ptr fs:[00000030h]5_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0535 mov eax, dword ptr fs:[00000030h]5_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0535 mov eax, dword ptr fs:[00000030h]5_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0535 mov eax, dword ptr fs:[00000030h]5_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0535 mov eax, dword ptr fs:[00000030h]5_2_019D0535
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94500 mov eax, dword ptr fs:[00000030h]5_2_01A94500
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8550 mov eax, dword ptr fs:[00000030h]5_2_019C8550
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8550 mov eax, dword ptr fs:[00000030h]5_2_019C8550
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F656A mov eax, dword ptr fs:[00000030h]5_2_019F656A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F656A mov eax, dword ptr fs:[00000030h]5_2_019F656A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F656A mov eax, dword ptr fs:[00000030h]5_2_019F656A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4A4B0 mov eax, dword ptr fs:[00000030h]5_2_01A4A4B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F44B0 mov ecx, dword ptr fs:[00000030h]5_2_019F44B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C64AB mov eax, dword ptr fs:[00000030h]5_2_019C64AB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7A49A mov eax, dword ptr fs:[00000030h]5_2_01A7A49A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C04E5 mov ecx, dword ptr fs:[00000030h]5_2_019C04E5
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A46420 mov eax, dword ptr fs:[00000030h]5_2_01A46420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F8402 mov eax, dword ptr fs:[00000030h]5_2_019F8402
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F8402 mov eax, dword ptr fs:[00000030h]5_2_019F8402
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F8402 mov eax, dword ptr fs:[00000030h]5_2_019F8402
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA430 mov eax, dword ptr fs:[00000030h]5_2_019FA430
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BE420 mov eax, dword ptr fs:[00000030h]5_2_019BE420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BE420 mov eax, dword ptr fs:[00000030h]5_2_019BE420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BE420 mov eax, dword ptr fs:[00000030h]5_2_019BE420
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BC427 mov eax, dword ptr fs:[00000030h]5_2_019BC427
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E245A mov eax, dword ptr fs:[00000030h]5_2_019E245A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4C460 mov ecx, dword ptr fs:[00000030h]5_2_01A4C460
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B645D mov eax, dword ptr fs:[00000030h]5_2_019B645D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FE443 mov eax, dword ptr fs:[00000030h]5_2_019FE443
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EA470 mov eax, dword ptr fs:[00000030h]5_2_019EA470
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EA470 mov eax, dword ptr fs:[00000030h]5_2_019EA470
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EA470 mov eax, dword ptr fs:[00000030h]5_2_019EA470
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A7A456 mov eax, dword ptr fs:[00000030h]5_2_01A7A456
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A747A0 mov eax, dword ptr fs:[00000030h]5_2_01A747A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6678E mov eax, dword ptr fs:[00000030h]5_2_01A6678E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C07AF mov eax, dword ptr fs:[00000030h]5_2_019C07AF
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4E7E1 mov eax, dword ptr fs:[00000030h]5_2_01A4E7E1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CC7C0 mov eax, dword ptr fs:[00000030h]5_2_019CC7C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C47FB mov eax, dword ptr fs:[00000030h]5_2_019C47FB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C47FB mov eax, dword ptr fs:[00000030h]5_2_019C47FB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A407C3 mov eax, dword ptr fs:[00000030h]5_2_01A407C3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E27ED mov eax, dword ptr fs:[00000030h]5_2_019E27ED
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E27ED mov eax, dword ptr fs:[00000030h]5_2_019E27ED
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E27ED mov eax, dword ptr fs:[00000030h]5_2_019E27ED
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0710 mov eax, dword ptr fs:[00000030h]5_2_019C0710
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F0710 mov eax, dword ptr fs:[00000030h]5_2_019F0710
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3C730 mov eax, dword ptr fs:[00000030h]5_2_01A3C730
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC700 mov eax, dword ptr fs:[00000030h]5_2_019FC700
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F273C mov eax, dword ptr fs:[00000030h]5_2_019F273C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F273C mov ecx, dword ptr fs:[00000030h]5_2_019F273C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F273C mov eax, dword ptr fs:[00000030h]5_2_019F273C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC720 mov eax, dword ptr fs:[00000030h]5_2_019FC720
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC720 mov eax, dword ptr fs:[00000030h]5_2_019FC720
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0750 mov eax, dword ptr fs:[00000030h]5_2_019C0750
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F674D mov esi, dword ptr fs:[00000030h]5_2_019F674D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F674D mov eax, dword ptr fs:[00000030h]5_2_019F674D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F674D mov eax, dword ptr fs:[00000030h]5_2_019F674D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8770 mov eax, dword ptr fs:[00000030h]5_2_019C8770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0770 mov eax, dword ptr fs:[00000030h]5_2_019D0770
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02750 mov eax, dword ptr fs:[00000030h]5_2_01A02750
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02750 mov eax, dword ptr fs:[00000030h]5_2_01A02750
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A44755 mov eax, dword ptr fs:[00000030h]5_2_01A44755
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4E75D mov eax, dword ptr fs:[00000030h]5_2_01A4E75D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4690 mov eax, dword ptr fs:[00000030h]5_2_019C4690
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4690 mov eax, dword ptr fs:[00000030h]5_2_019C4690
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F66B0 mov eax, dword ptr fs:[00000030h]5_2_019F66B0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC6A6 mov eax, dword ptr fs:[00000030h]5_2_019FC6A6
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]5_2_01A3E6F2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]5_2_01A3E6F2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]5_2_01A3E6F2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]5_2_01A3E6F2
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A406F1 mov eax, dword ptr fs:[00000030h]5_2_01A406F1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A406F1 mov eax, dword ptr fs:[00000030h]5_2_01A406F1
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA6C7 mov ebx, dword ptr fs:[00000030h]5_2_019FA6C7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA6C7 mov eax, dword ptr fs:[00000030h]5_2_019FA6C7
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D260B mov eax, dword ptr fs:[00000030h]5_2_019D260B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E609 mov eax, dword ptr fs:[00000030h]5_2_01A3E609
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C262C mov eax, dword ptr fs:[00000030h]5_2_019C262C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A02619 mov eax, dword ptr fs:[00000030h]5_2_01A02619
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DE627 mov eax, dword ptr fs:[00000030h]5_2_019DE627
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F6620 mov eax, dword ptr fs:[00000030h]5_2_019F6620
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F8620 mov eax, dword ptr fs:[00000030h]5_2_019F8620
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8866E mov eax, dword ptr fs:[00000030h]5_2_01A8866E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8866E mov eax, dword ptr fs:[00000030h]5_2_01A8866E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019DC640 mov eax, dword ptr fs:[00000030h]5_2_019DC640
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F2674 mov eax, dword ptr fs:[00000030h]5_2_019F2674
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA660 mov eax, dword ptr fs:[00000030h]5_2_019FA660
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA660 mov eax, dword ptr fs:[00000030h]5_2_019FA660
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A489B3 mov esi, dword ptr fs:[00000030h]5_2_01A489B3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A489B3 mov eax, dword ptr fs:[00000030h]5_2_01A489B3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A489B3 mov eax, dword ptr fs:[00000030h]5_2_01A489B3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C09AD mov eax, dword ptr fs:[00000030h]5_2_019C09AD
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C09AD mov eax, dword ptr fs:[00000030h]5_2_019C09AD
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D29A0 mov eax, dword ptr fs:[00000030h]5_2_019D29A0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4E9E0 mov eax, dword ptr fs:[00000030h]5_2_01A4E9E0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA9D0 mov eax, dword ptr fs:[00000030h]5_2_019CA9D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA9D0 mov eax, dword ptr fs:[00000030h]5_2_019CA9D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA9D0 mov eax, dword ptr fs:[00000030h]5_2_019CA9D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA9D0 mov eax, dword ptr fs:[00000030h]5_2_019CA9D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA9D0 mov eax, dword ptr fs:[00000030h]5_2_019CA9D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CA9D0 mov eax, dword ptr fs:[00000030h]5_2_019CA9D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F49D0 mov eax, dword ptr fs:[00000030h]5_2_019F49D0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A569C0 mov eax, dword ptr fs:[00000030h]5_2_01A569C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F29F9 mov eax, dword ptr fs:[00000030h]5_2_019F29F9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F29F9 mov eax, dword ptr fs:[00000030h]5_2_019F29F9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8A9D3 mov eax, dword ptr fs:[00000030h]5_2_01A8A9D3
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B8918 mov eax, dword ptr fs:[00000030h]5_2_019B8918
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B8918 mov eax, dword ptr fs:[00000030h]5_2_019B8918
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4892A mov eax, dword ptr fs:[00000030h]5_2_01A4892A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A5892B mov eax, dword ptr fs:[00000030h]5_2_01A5892B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E908 mov eax, dword ptr fs:[00000030h]5_2_01A3E908
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3E908 mov eax, dword ptr fs:[00000030h]5_2_01A3E908
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4C912 mov eax, dword ptr fs:[00000030h]5_2_01A4C912
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0096E mov eax, dword ptr fs:[00000030h]5_2_01A0096E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0096E mov edx, dword ptr fs:[00000030h]5_2_01A0096E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A0096E mov eax, dword ptr fs:[00000030h]5_2_01A0096E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4C97C mov eax, dword ptr fs:[00000030h]5_2_01A4C97C
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A64978 mov eax, dword ptr fs:[00000030h]5_2_01A64978
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A64978 mov eax, dword ptr fs:[00000030h]5_2_01A64978
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A40946 mov eax, dword ptr fs:[00000030h]5_2_01A40946
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94940 mov eax, dword ptr fs:[00000030h]5_2_01A94940
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E6962 mov eax, dword ptr fs:[00000030h]5_2_019E6962
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E6962 mov eax, dword ptr fs:[00000030h]5_2_019E6962
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E6962 mov eax, dword ptr fs:[00000030h]5_2_019E6962
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0887 mov eax, dword ptr fs:[00000030h]5_2_019C0887
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4C89D mov eax, dword ptr fs:[00000030h]5_2_01A4C89D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8A8E4 mov eax, dword ptr fs:[00000030h]5_2_01A8A8E4
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EE8C0 mov eax, dword ptr fs:[00000030h]5_2_019EE8C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC8F9 mov eax, dword ptr fs:[00000030h]5_2_019FC8F9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FC8F9 mov eax, dword ptr fs:[00000030h]5_2_019FC8F9
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A908C0 mov eax, dword ptr fs:[00000030h]5_2_01A908C0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6483A mov eax, dword ptr fs:[00000030h]5_2_01A6483A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6483A mov eax, dword ptr fs:[00000030h]5_2_01A6483A
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2835 mov eax, dword ptr fs:[00000030h]5_2_019E2835
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2835 mov eax, dword ptr fs:[00000030h]5_2_019E2835
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2835 mov eax, dword ptr fs:[00000030h]5_2_019E2835
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2835 mov ecx, dword ptr fs:[00000030h]5_2_019E2835
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2835 mov eax, dword ptr fs:[00000030h]5_2_019E2835
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E2835 mov eax, dword ptr fs:[00000030h]5_2_019E2835
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FA830 mov eax, dword ptr fs:[00000030h]5_2_019FA830
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4C810 mov eax, dword ptr fs:[00000030h]5_2_01A4C810
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4859 mov eax, dword ptr fs:[00000030h]5_2_019C4859
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C4859 mov eax, dword ptr fs:[00000030h]5_2_019C4859
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F0854 mov eax, dword ptr fs:[00000030h]5_2_019F0854
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A56870 mov eax, dword ptr fs:[00000030h]5_2_01A56870
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A56870 mov eax, dword ptr fs:[00000030h]5_2_01A56870
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4E872 mov eax, dword ptr fs:[00000030h]5_2_01A4E872
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4E872 mov eax, dword ptr fs:[00000030h]5_2_01A4E872
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D2840 mov ecx, dword ptr fs:[00000030h]5_2_019D2840
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A74BB0 mov eax, dword ptr fs:[00000030h]5_2_01A74BB0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A74BB0 mov eax, dword ptr fs:[00000030h]5_2_01A74BB0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0BBE mov eax, dword ptr fs:[00000030h]5_2_019D0BBE
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0BBE mov eax, dword ptr fs:[00000030h]5_2_019D0BBE
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0BCD mov eax, dword ptr fs:[00000030h]5_2_019C0BCD
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0BCD mov eax, dword ptr fs:[00000030h]5_2_019C0BCD
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0BCD mov eax, dword ptr fs:[00000030h]5_2_019C0BCD
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4CBF0 mov eax, dword ptr fs:[00000030h]5_2_01A4CBF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E0BCB mov eax, dword ptr fs:[00000030h]5_2_019E0BCB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E0BCB mov eax, dword ptr fs:[00000030h]5_2_019E0BCB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E0BCB mov eax, dword ptr fs:[00000030h]5_2_019E0BCB
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EEBFC mov eax, dword ptr fs:[00000030h]5_2_019EEBFC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8BF0 mov eax, dword ptr fs:[00000030h]5_2_019C8BF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8BF0 mov eax, dword ptr fs:[00000030h]5_2_019C8BF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8BF0 mov eax, dword ptr fs:[00000030h]5_2_019C8BF0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6EBD0 mov eax, dword ptr fs:[00000030h]5_2_01A6EBD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A88B28 mov eax, dword ptr fs:[00000030h]5_2_01A88B28
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A88B28 mov eax, dword ptr fs:[00000030h]5_2_01A88B28
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94B00 mov eax, dword ptr fs:[00000030h]5_2_01A94B00
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A3EB1D mov eax, dword ptr fs:[00000030h]5_2_01A3EB1D
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EEB20 mov eax, dword ptr fs:[00000030h]5_2_019EEB20
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EEB20 mov eax, dword ptr fs:[00000030h]5_2_019EEB20
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019B8B50 mov eax, dword ptr fs:[00000030h]5_2_019B8B50
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A68B42 mov eax, dword ptr fs:[00000030h]5_2_01A68B42
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A56B40 mov eax, dword ptr fs:[00000030h]5_2_01A56B40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A56B40 mov eax, dword ptr fs:[00000030h]5_2_01A56B40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019BCB7E mov eax, dword ptr fs:[00000030h]5_2_019BCB7E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A8AB40 mov eax, dword ptr fs:[00000030h]5_2_01A8AB40
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A74B4B mov eax, dword ptr fs:[00000030h]5_2_01A74B4B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A74B4B mov eax, dword ptr fs:[00000030h]5_2_01A74B4B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6EB50 mov eax, dword ptr fs:[00000030h]5_2_01A6EB50
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A92B57 mov eax, dword ptr fs:[00000030h]5_2_01A92B57
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A92B57 mov eax, dword ptr fs:[00000030h]5_2_01A92B57
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A92B57 mov eax, dword ptr fs:[00000030h]5_2_01A92B57
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A92B57 mov eax, dword ptr fs:[00000030h]5_2_01A92B57
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A16AA4 mov eax, dword ptr fs:[00000030h]5_2_01A16AA4
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F8A90 mov edx, dword ptr fs:[00000030h]5_2_019F8A90
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019CEA80 mov eax, dword ptr fs:[00000030h]5_2_019CEA80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A94A80 mov eax, dword ptr fs:[00000030h]5_2_01A94A80
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8AA0 mov eax, dword ptr fs:[00000030h]5_2_019C8AA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C8AA0 mov eax, dword ptr fs:[00000030h]5_2_019C8AA0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C0AD0 mov eax, dword ptr fs:[00000030h]5_2_019C0AD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F4AD0 mov eax, dword ptr fs:[00000030h]5_2_019F4AD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019F4AD0 mov eax, dword ptr fs:[00000030h]5_2_019F4AD0
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A16ACC mov eax, dword ptr fs:[00000030h]5_2_01A16ACC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A16ACC mov eax, dword ptr fs:[00000030h]5_2_01A16ACC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A16ACC mov eax, dword ptr fs:[00000030h]5_2_01A16ACC
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FAAEE mov eax, dword ptr fs:[00000030h]5_2_019FAAEE
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FAAEE mov eax, dword ptr fs:[00000030h]5_2_019FAAEE
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FCA38 mov eax, dword ptr fs:[00000030h]5_2_019FCA38
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E4A35 mov eax, dword ptr fs:[00000030h]5_2_019E4A35
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019E4A35 mov eax, dword ptr fs:[00000030h]5_2_019E4A35
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019EEA2E mov eax, dword ptr fs:[00000030h]5_2_019EEA2E
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A4CA11 mov eax, dword ptr fs:[00000030h]5_2_01A4CA11
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019FCA24 mov eax, dword ptr fs:[00000030h]5_2_019FCA24
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0A5B mov eax, dword ptr fs:[00000030h]5_2_019D0A5B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019D0A5B mov eax, dword ptr fs:[00000030h]5_2_019D0A5B
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_01A6EA60 mov eax, dword ptr fs:[00000030h]5_2_01A6EA60
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C6A50 mov eax, dword ptr fs:[00000030h]5_2_019C6A50
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C6A50 mov eax, dword ptr fs:[00000030h]5_2_019C6A50
            Source: C:\Users\user\Desktop\PO1038854.exeCode function: 5_2_019C6A50 mov eax, dword ptr fs:[00000030h]5_2_019C6A50
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe"
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\PO1038854.exeMemory written: C:\Users\user\Desktop\PO1038854.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeProcess created: C:\Users\user\Desktop\PO1038854.exe "C:\Users\user\Desktop\PO1038854.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeQueries volume information: C:\Users\user\Desktop\PO1038854.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO1038854.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.PO1038854.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping2
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522761 Sample: PO1038854.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 6 other signatures 2->28 7 PO1038854.exe 4 2->7         started        process3 file4 20 C:\Users\user\AppData\...\PO1038854.exe.log, ASCII 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 PO1038854.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 WmiPrvSE.exe 11->16         started        18 conhost.exe 11->18         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO1038854.exe24%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
            PO1038854.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO1038854.exe, 00000000.00000002.2137118655.000000000316E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1522761
            Start date and time:2024-09-30 16:32:03 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 26s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:PO1038854.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/6@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 46
            • Number of non-executed functions: 287
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: PO1038854.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:32:54API Interceptor4x Sleep call for process: PO1038854.exe modified
            10:32:55API Interceptor16x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO1038854.exe.log

            Download File
            Process:C:\Users\user\Desktop\PO1038854.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.380805901110357
            Encrypted:false
            SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCsIfA2KRHmOugw1s
            MD5:2841736A1E367C6D039C41512DA2893E
            SHA1:8AE1356D954F14390DD115EB92E2B01F86E98141
            SHA-256:70D4743FAB5C407020B872595615D3B018AC17A6F504084BF1E95B061C97047E
            SHA-512:E11A1F186A9B75658F905B7128526E054CEE572A4F55BBB864B5E8B5DC3D8B62D1E160F31472213DB0CEB8A612D71B23DAE03EBC6AB5BC0D8933732F2007EF6C
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dkr3tbb.vhm.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqn1tp34.0dg.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdxuiqie.alq.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5g0fnvv.pm2.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.862060183775342
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:PO1038854.exe
            File size:793'600 bytes
            MD5:0b8096803c8a92e49a117832e8005e90
            SHA1:b897636e60d041c518422da34325c7810c1f3404
            SHA256:85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
            SHA512:c43dece156354bee9110a6025030066cf54e44144ab730c233a03caad1e0b1e6d9a1f329949360e44285206e71d2b11fbab1be1b94578d53352c69d6e47a9532
            SSDEEP:12288:+Xusruc84Pww5Bg6i6os91E3x3u2yoVKlF62aQqurR4FxRnifrmTeUEP3p2NUp:+Mc9DV1QumMlqur+Ni6Q5
            TLSH:3FF402086AF8EE1AD56E477694B0415067FAB8DAA673F31F1FC230F51F26784C904B62
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................./... ........@.. ....................................@................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4c2fce
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66FAA780 [Mon Sep 30 13:28:32 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc2f800x4b.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x800.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xc0fd40xc1000ede9d21db9d59d8582ba92dfb7cd54aeFalse0.9190844600064767data7.870972260343742IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xc40000x8000x8003a4d30278c462bc7ad9fa275918f756cFalse0.337890625data3.476399585705256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc60000xc0x2004d28466b59bd2b8bc85d243877b86e54False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0xc40900x39cdata0.41883116883116883
            RT_MANIFEST0xc443c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:10:32:53
            Start date:30/09/2024
            Path:C:\Users\user\Desktop\PO1038854.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PO1038854.exe"
            Imagebase:0xac0000
            File size:793'600 bytes
            MD5 hash:0B8096803C8A92E49A117832E8005E90
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:10:32:54
            Start date:30/09/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO1038854.exe"
            Imagebase:0x470000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:10:32:54
            Start date:30/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:10:32:54
            Start date:30/09/2024
            Path:C:\Users\user\Desktop\PO1038854.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PO1038854.exe"
            Imagebase:0xf10000
            File size:793'600 bytes
            MD5 hash:0B8096803C8A92E49A117832E8005E90
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2385912141.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:6
            Start time:10:32:57
            Start date:30/09/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff717f30000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:10%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:235
              Total number of Limit Nodes:16
              execution_graph 27029 2e0d860 27030 2e0d86d 27029->27030 27031 2e0d8a7 27030->27031 27033 2e0c0b0 27030->27033 27035 2e0c0bb 27033->27035 27034 2e0e5c0 27035->27034 27037 2e0da6c 27035->27037 27038 2e0da77 27037->27038 27041 2e079e8 27038->27041 27040 2e0e62f 27040->27034 27042 2e079f3 27041->27042 27043 2e08f03 27042->27043 27045 2e0b5b8 27042->27045 27043->27040 27049 2e0b5e0 27045->27049 27053 2e0b5f0 27045->27053 27046 2e0b5ce 27046->27043 27050 2e0b5f0 27049->27050 27056 2e0b6d7 27050->27056 27051 2e0b5ff 27051->27046 27055 2e0b6d7 GetModuleHandleW 27053->27055 27054 2e0b5ff 27054->27046 27055->27054 27057 2e0b71c 27056->27057 27058 2e0b6f9 27056->27058 27057->27051 27058->27057 27059 2e0b920 GetModuleHandleW 27058->27059 27060 2e0b94d 27059->27060 27060->27051 27061 2e05060 27062 2e05069 27061->27062 27063 2e0506f 27062->27063 27067 2e05158 27062->27067 27072 2e04c94 27063->27072 27065 2e0508a 27068 2e0517d 27067->27068 27076 2e05268 27068->27076 27080 2e05258 27068->27080 27073 2e04c9f 27072->27073 27088 2e068bc 27073->27088 27075 2e07ddc 27075->27065 27077 2e0528f 27076->27077 27079 2e0536c 27077->27079 27084 2e04df0 27077->27084 27082 2e05265 27080->27082 27081 2e0536c 27081->27081 27082->27081 27083 2e04df0 CreateActCtxA 27082->27083 27083->27081 27085 2e062f8 CreateActCtxA 27084->27085 27087 2e063bb 27085->27087 27089 2e068c7 27088->27089 27092 2e07988 27089->27092 27091 2e07f6d 27091->27075 27093 2e07993 27092->27093 27096 2e079b8 27093->27096 27095 2e08042 27095->27091 27097 2e079c3 27096->27097 27098 2e079e8 GetModuleHandleW 27097->27098 27099 2e08145 27098->27099 27099->27095 27100 2e0dd80 27101 2e0ddc6 GetCurrentProcess 27100->27101 27103 2e0de11 27101->27103 27104 2e0de18 GetCurrentThread 27101->27104 27103->27104 27105 2e0de55 GetCurrentProcess 27104->27105 27106 2e0de4e 27104->27106 27107 2e0de8b GetCurrentThreadId 27105->27107 27106->27105 27109 2e0dee4 27107->27109 27110 7530ef0 27111 753107b 27110->27111 27112 7530f16 27110->27112 27112->27111 27115 7531170 PostMessageW 27112->27115 27117 7531169 PostMessageW 27112->27117 27116 75311dc 27115->27116 27116->27112 27118 75311dc 27117->27118 27118->27112 27119 2e0dfc8 DuplicateHandle 27120 2e0e05e 27119->27120 27121 727e5de 27122 727e606 27121->27122 27126 727f6c6 27121->27126 27147 727f658 27121->27147 27167 727f668 27121->27167 27127 727f654 27126->27127 27129 727f6c9 27126->27129 27128 727f6a6 27127->27128 27187 7530559 27127->27187 27191 753043a 27127->27191 27195 75301fb 27127->27195 27200 7530817 27127->27200 27208 75305d1 27127->27208 27212 7530492 27127->27212 27217 75303b2 27127->27217 27222 753040d 27127->27222 27227 75307ad 27127->27227 27233 75305ce 27127->27233 27238 75303e8 27127->27238 27248 7530189 27127->27248 27252 75302ea 27127->27252 27257 753022b 27127->27257 27262 7530545 27127->27262 27267 7530667 27127->27267 27272 753011f 27127->27272 27128->27122 27129->27122 27148 727f682 27147->27148 27149 727f6a6 27148->27149 27150 75303b2 2 API calls 27148->27150 27151 7530492 2 API calls 27148->27151 27152 75305d1 2 API calls 27148->27152 27153 7530817 2 API calls 27148->27153 27154 75301fb 2 API calls 27148->27154 27155 753043a 2 API calls 27148->27155 27156 7530559 2 API calls 27148->27156 27157 753011f 2 API calls 27148->27157 27158 7530667 2 API calls 27148->27158 27159 7530545 2 API calls 27148->27159 27160 753022b 2 API calls 27148->27160 27161 75302ea 2 API calls 27148->27161 27162 7530189 2 API calls 27148->27162 27163 75303e8 3 API calls 27148->27163 27164 75305ce 2 API calls 27148->27164 27165 75307ad 3 API calls 27148->27165 27166 753040d 2 API calls 27148->27166 27149->27122 27150->27149 27151->27149 27152->27149 27153->27149 27154->27149 27155->27149 27156->27149 27157->27149 27158->27149 27159->27149 27160->27149 27161->27149 27162->27149 27163->27149 27164->27149 27165->27149 27166->27149 27168 727f682 27167->27168 27169 75303b2 2 API calls 27168->27169 27170 7530492 2 API calls 27168->27170 27171 75305d1 2 API calls 27168->27171 27172 7530817 2 API calls 27168->27172 27173 75301fb 2 API calls 27168->27173 27174 753043a 2 API calls 27168->27174 27175 7530559 2 API calls 27168->27175 27176 753011f 2 API calls 27168->27176 27177 727f6a6 27168->27177 27178 7530667 2 API calls 27168->27178 27179 7530545 2 API calls 27168->27179 27180 753022b 2 API calls 27168->27180 27181 75302ea 2 API calls 27168->27181 27182 7530189 2 API calls 27168->27182 27183 75303e8 3 API calls 27168->27183 27184 75305ce 2 API calls 27168->27184 27185 75307ad 3 API calls 27168->27185 27186 753040d 2 API calls 27168->27186 27169->27177 27170->27177 27171->27177 27172->27177 27173->27177 27174->27177 27175->27177 27176->27177 27177->27122 27178->27177 27179->27177 27180->27177 27181->27177 27182->27177 27183->27177 27184->27177 27185->27177 27186->27177 27277 727daa0 27187->27277 27281 727daa8 27187->27281 27188 7530573 27285 727db80 27191->27285 27289 727db7a 27191->27289 27192 7530458 27196 75301f1 27195->27196 27196->27128 27197 7530282 27196->27197 27293 727dc40 27196->27293 27297 727dc3e 27196->27297 27206 727dc40 WriteProcessMemory 27200->27206 27207 727dc3e WriteProcessMemory 27200->27207 27201 75307a1 27201->27200 27203 75301f1 27201->27203 27202 7530282 27203->27128 27203->27202 27204 727dc40 WriteProcessMemory 27203->27204 27205 727dc3e WriteProcessMemory 27203->27205 27204->27203 27205->27203 27206->27201 27207->27201 27210 727daa0 Wow64SetThreadContext 27208->27210 27211 727daa8 Wow64SetThreadContext 27208->27211 27209 75305eb 27209->27128 27210->27209 27211->27209 27213 75301f1 27212->27213 27213->27128 27214 7530282 27213->27214 27215 727dc40 WriteProcessMemory 27213->27215 27216 727dc3e WriteProcessMemory 27213->27216 27215->27213 27216->27213 27218 75303b8 27217->27218 27220 727dc40 WriteProcessMemory 27218->27220 27221 727dc3e WriteProcessMemory 27218->27221 27219 75304f1 27219->27128 27220->27219 27221->27219 27223 7530413 27222->27223 27301 727d5c0 27223->27301 27305 727d5b8 27223->27305 27224 753077e 27224->27128 27224->27224 27228 75302c4 27227->27228 27228->27227 27229 7530869 27228->27229 27309 727dd28 27228->27309 27313 727dd2e 27228->27313 27317 727dd30 27228->27317 27229->27128 27234 7530558 27233->27234 27236 727daa0 Wow64SetThreadContext 27234->27236 27237 727daa8 Wow64SetThreadContext 27234->27237 27235 7530573 27236->27235 27237->27235 27239 7530407 27238->27239 27240 75302c4 27239->27240 27242 727dd30 ReadProcessMemory 27239->27242 27243 727dd2e ReadProcessMemory 27239->27243 27244 727dd28 ReadProcessMemory 27239->27244 27241 7530869 27240->27241 27245 727dd30 ReadProcessMemory 27240->27245 27246 727dd2e ReadProcessMemory 27240->27246 27247 727dd28 ReadProcessMemory 27240->27247 27241->27128 27242->27240 27243->27240 27244->27240 27245->27240 27246->27240 27247->27240 27249 75301c6 27248->27249 27321 727debc 27248->27321 27326 727dec8 27248->27326 27249->27128 27255 727dc40 WriteProcessMemory 27252->27255 27256 727dc3e WriteProcessMemory 27252->27256 27253 75301f1 27253->27128 27253->27252 27254 7530282 27253->27254 27255->27253 27256->27253 27258 7530238 27257->27258 27260 727d5c0 ResumeThread 27258->27260 27261 727d5b8 ResumeThread 27258->27261 27259 753077e 27259->27128 27259->27259 27260->27259 27261->27259 27263 7530424 27262->27263 27265 727d5c0 ResumeThread 27263->27265 27266 727d5b8 ResumeThread 27263->27266 27264 753077e 27264->27128 27264->27264 27265->27264 27266->27264 27268 75301f1 27267->27268 27268->27128 27268->27267 27269 7530282 27268->27269 27270 727dc40 WriteProcessMemory 27268->27270 27271 727dc3e WriteProcessMemory 27268->27271 27270->27268 27271->27268 27273 7530129 27272->27273 27275 727debc CreateProcessA 27273->27275 27276 727dec8 CreateProcessA 27273->27276 27274 75301c6 27274->27128 27275->27274 27276->27274 27278 727daed Wow64SetThreadContext 27277->27278 27280 727db35 27278->27280 27280->27188 27282 727daed Wow64SetThreadContext 27281->27282 27284 727db35 27282->27284 27284->27188 27286 727dbc0 VirtualAllocEx 27285->27286 27288 727dbfd 27286->27288 27288->27192 27290 727dbc0 VirtualAllocEx 27289->27290 27292 727dbfd 27290->27292 27292->27192 27294 727dc88 WriteProcessMemory 27293->27294 27296 727dcdf 27294->27296 27296->27196 27298 727dc88 WriteProcessMemory 27297->27298 27300 727dcdf 27298->27300 27300->27196 27302 727d600 ResumeThread 27301->27302 27304 727d631 27302->27304 27304->27224 27306 727d600 ResumeThread 27305->27306 27308 727d631 27306->27308 27308->27224 27310 727dd2b ReadProcessMemory 27309->27310 27312 727ddbf 27310->27312 27312->27228 27314 727dd7b ReadProcessMemory 27313->27314 27316 727ddbf 27314->27316 27316->27228 27318 727dd7b ReadProcessMemory 27317->27318 27320 727ddbf 27318->27320 27320->27228 27323 727dec1 27321->27323 27322 727dea3 27322->27249 27323->27322 27324 727e0b6 CreateProcessA 27323->27324 27325 727e113 27324->27325 27327 727dee9 CreateProcessA 27326->27327 27329 727e113 27327->27329

              Executed Functions

              Function 07270006 Relevance: .3, Instructions: 314COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d5a412d9db5532231648f66058335246888ecf05acc67446f08df605d16ae77
              • Instruction ID: da9393e67a7da3ec8eaf1b766c81c5d9465e4201318a33b73162742947ac0fc8
              • Opcode Fuzzy Hash: 4d5a412d9db5532231648f66058335246888ecf05acc67446f08df605d16ae77
              • Instruction Fuzzy Hash: 21D17BB0D2020ACFCB54CFA5D5819AEFBB2FF8A311F24955AC415AB354D3349A4ACF90
              Function 07270040 Relevance: .3, Instructions: 296COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f660f60faa9207d93d4f5c1fa3a3883d926911388b43616de46d2aada3b1a38
              • Instruction ID: 3ecf9585c722a4fea11aaa2d997c719774b811411cb74024462a23a5d022e70d
              • Opcode Fuzzy Hash: 5f660f60faa9207d93d4f5c1fa3a3883d926911388b43616de46d2aada3b1a38
              • Instruction Fuzzy Hash: 22D158B4D2020ACFCB54CFA5D6818AEFBB2FF8A301F249559C415AB354D734AA46CF90
              Function 07273F68 Relevance: .3, Instructions: 274COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b34f4d99f19f4bd455ce970e3dab8e650529b55db55553ef18be796c9294d55e
              • Instruction ID: 9b555c87b8649b1097fdd8e081b999a55057165fe3bcf6fbe393cc3bc1ee3e41
              • Opcode Fuzzy Hash: b34f4d99f19f4bd455ce970e3dab8e650529b55db55553ef18be796c9294d55e
              • Instruction Fuzzy Hash: DBB128B1D24269DFDF18DFA6D98099EFBF2BF89340F10942AD419AB224D7309902CF01
              Function 07273F58 Relevance: .3, Instructions: 272COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7aeae29fb62f534c64bd216349c69d3fbe9912faabcfd0965467533350bc9d3d
              • Instruction ID: 0c86c6257924d743b25a681e9c23ba17f3a436213caf4a2dab74c2f7a25d7145
              • Opcode Fuzzy Hash: 7aeae29fb62f534c64bd216349c69d3fbe9912faabcfd0965467533350bc9d3d
              • Instruction Fuzzy Hash: A2B128B1D24269DFDF18DFA6D98199EFBF2BF89340F10942AD419A7264D7309906CF01
              Function 07273720 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d9cc9458e67231c1adfc479be549e294f6f9b20f3dd5300b2027c0554574cff
              • Instruction ID: b71102e09e3d52ac3da656e980930c621cc91786c76b542c004f10ccd84e1472
              • Opcode Fuzzy Hash: 7d9cc9458e67231c1adfc479be549e294f6f9b20f3dd5300b2027c0554574cff
              • Instruction Fuzzy Hash: 9B71E5B4D25249DFCB08CFE6D5819EEFBB2FB89310F108429E515AB265D7349942DF40
              Function 07273710 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52ded3f583c7848214f7c44383da46b2fe0ab2759241b77e5c0d41bc03beff78
              • Instruction ID: 31caee0ff6f3086e3899dada0c04c1e937f404376c1fd53d2e0beffa452294cd
              • Opcode Fuzzy Hash: 52ded3f583c7848214f7c44383da46b2fe0ab2759241b77e5c0d41bc03beff78
              • Instruction Fuzzy Hash: BC7118B5D24249DFCB08CFA6D5819EEFBB2FF8A310F10842AE415AB265D7349542CF40
              Function 072727D8 Relevance: .1, Instructions: 141COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12796555e1447169020422b10c5edc2e30bdcc01d3b373dc8c06734df0c97a5b
              • Instruction ID: 2de13a3120a617b2c490909e87a0d18045198c6d7e29bcf9cfa8025c56e8894c
              • Opcode Fuzzy Hash: 12796555e1447169020422b10c5edc2e30bdcc01d3b373dc8c06734df0c97a5b
              • Instruction Fuzzy Hash: E05115B4E24219EFCB08CFA5DA855AEBBF2FF89200F50942AD415E7255DB349A01CF64
              Function 072727E8 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48d4910359892cdce2bc4d75ecf72ebf5d19fd3199942fb924d35eb35cf39ff1
              • Instruction ID: 5bc6e5b3622a13a3b738538df8543d54596eefe78bb6220f27fc0c4749345497
              • Opcode Fuzzy Hash: 48d4910359892cdce2bc4d75ecf72ebf5d19fd3199942fb924d35eb35cf39ff1
              • Instruction Fuzzy Hash: 8951F674E24219EFCB08CFA5DA855AEFBF2FB89300F50942AD415E7254DB749A01CF64
              Function 02E0DD80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 02E0DDFE
              • GetCurrentThread.KERNEL32 ref: 02E0DE3B
              • GetCurrentProcess.KERNEL32 ref: 02E0DE78
              • GetCurrentThreadId.KERNEL32 ref: 02E0DED1
              Memory Dump Source
              • Source File: 00000000.00000002.2136935044.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2e00000_PO1038854.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: e5ee1a6fc746a0a84fce7f5e5136ab2e8744f2d1c4a4d4ab35a2bdbfd3595e8c
              • Instruction ID: 12b38c8ffe88670e37c25c919f3df94b1e72ddd588c36d9b9555391566c06579
              • Opcode Fuzzy Hash: e5ee1a6fc746a0a84fce7f5e5136ab2e8744f2d1c4a4d4ab35a2bdbfd3595e8c
              • Instruction Fuzzy Hash: 2B5147B49013498FDB54CFAAD988B9EFBF5FF88314F20C059E009A72A0DB755845CB65
              Function 0727DEBC Relevance: 1.8, APIs: 1, Instructions: 254processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 21 727debc-727dec1 23 727dec3-727dec4 21->23 24 727dee9-727df5d 21->24 25 727dec6-727dee7 23->25 26 727dea3-727deb0 23->26 28 727df96-727dfb6 24->28 29 727df5f-727df69 24->29 25->24 36 727dfef-727e01e 28->36 37 727dfb8-727dfc2 28->37 29->28 30 727df6b-727df6d 29->30 31 727df90-727df93 30->31 32 727df6f-727df79 30->32 31->28 34 727df7d-727df8c 32->34 35 727df7b 32->35 34->34 38 727df8e 34->38 35->34 43 727e057-727e111 CreateProcessA 36->43 44 727e020-727e02a 36->44 37->36 39 727dfc4-727dfc6 37->39 38->31 41 727dfe9-727dfec 39->41 42 727dfc8-727dfd2 39->42 41->36 45 727dfd6-727dfe5 42->45 46 727dfd4 42->46 57 727e113-727e119 43->57 58 727e11a-727e1a0 43->58 44->43 47 727e02c-727e02e 44->47 45->45 48 727dfe7 45->48 46->45 49 727e051-727e054 47->49 50 727e030-727e03a 47->50 48->41 49->43 52 727e03e-727e04d 50->52 53 727e03c 50->53 52->52 54 727e04f 52->54 53->52 54->49 57->58 68 727e1a2-727e1a6 58->68 69 727e1b0-727e1b4 58->69 68->69 70 727e1a8 68->70 71 727e1b6-727e1ba 69->71 72 727e1c4-727e1c8 69->72 70->69 71->72 73 727e1bc 71->73 74 727e1ca-727e1ce 72->74 75 727e1d8-727e1dc 72->75 73->72 74->75 78 727e1d0 74->78 76 727e1ee-727e1f5 75->76 77 727e1de-727e1e4 75->77 79 727e1f7-727e206 76->79 80 727e20c 76->80 77->76 78->75 79->80 82 727e20d 80->82 82->82
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0727E0FE
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: d7c5aae2739f42a9bb21dbd25a1165076100a5827199954f37180818416558b4
              • Instruction ID: 9282356c0c23f4a26ef871987c13caf91f9f5965c3c81c56cd0f397f1dc8823f
              • Opcode Fuzzy Hash: d7c5aae2739f42a9bb21dbd25a1165076100a5827199954f37180818416558b4
              • Instruction Fuzzy Hash: 2DA16EB1D1021ADFEB14CFA8C941BEDBBB2FF48314F1581A9E818A7240DB749985CF91
              Function 0727DEC8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 83 727dec8-727df5d 86 727df96-727dfb6 83->86 87 727df5f-727df69 83->87 94 727dfef-727e01e 86->94 95 727dfb8-727dfc2 86->95 87->86 88 727df6b-727df6d 87->88 89 727df90-727df93 88->89 90 727df6f-727df79 88->90 89->86 92 727df7d-727df8c 90->92 93 727df7b 90->93 92->92 96 727df8e 92->96 93->92 101 727e057-727e111 CreateProcessA 94->101 102 727e020-727e02a 94->102 95->94 97 727dfc4-727dfc6 95->97 96->89 99 727dfe9-727dfec 97->99 100 727dfc8-727dfd2 97->100 99->94 103 727dfd6-727dfe5 100->103 104 727dfd4 100->104 115 727e113-727e119 101->115 116 727e11a-727e1a0 101->116 102->101 105 727e02c-727e02e 102->105 103->103 106 727dfe7 103->106 104->103 107 727e051-727e054 105->107 108 727e030-727e03a 105->108 106->99 107->101 110 727e03e-727e04d 108->110 111 727e03c 108->111 110->110 112 727e04f 110->112 111->110 112->107 115->116 126 727e1a2-727e1a6 116->126 127 727e1b0-727e1b4 116->127 126->127 128 727e1a8 126->128 129 727e1b6-727e1ba 127->129 130 727e1c4-727e1c8 127->130 128->127 129->130 131 727e1bc 129->131 132 727e1ca-727e1ce 130->132 133 727e1d8-727e1dc 130->133 131->130 132->133 136 727e1d0 132->136 134 727e1ee-727e1f5 133->134 135 727e1de-727e1e4 133->135 137 727e1f7-727e206 134->137 138 727e20c 134->138 135->134 136->133 137->138 140 727e20d 138->140 140->140
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0727E0FE
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 1262993ff8931ac052db4bbf156eb5a1fb10ea00ce2bc2c84f1130129c71b225
              • Instruction ID: ffaf0a6ffa6db65de41d5933a4eb4d64c5ae47e075f768926df66d458c3246af
              • Opcode Fuzzy Hash: 1262993ff8931ac052db4bbf156eb5a1fb10ea00ce2bc2c84f1130129c71b225
              • Instruction Fuzzy Hash: 11916EB1D1021ADFEB14CFA8C941BDDBBB2FF44310F1581A9E818A7240DB749985CF92
              Function 02E0B6D7 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 141 2e0b6d7-2e0b6f7 142 2e0b723-2e0b727 141->142 143 2e0b6f9-2e0b706 call 2e0a058 141->143 144 2e0b729-2e0b733 142->144 145 2e0b73b-2e0b77c 142->145 148 2e0b708 143->148 149 2e0b71c 143->149 144->145 152 2e0b789-2e0b797 145->152 153 2e0b77e-2e0b786 145->153 198 2e0b70e call 2e0b980 148->198 199 2e0b70e call 2e0b970 148->199 149->142 155 2e0b799-2e0b79e 152->155 156 2e0b7bb-2e0b7bd 152->156 153->152 154 2e0b714-2e0b716 154->149 157 2e0b858-2e0b918 154->157 159 2e0b7a0-2e0b7a7 call 2e0aa3c 155->159 160 2e0b7a9 155->160 158 2e0b7c0-2e0b7c7 156->158 191 2e0b920-2e0b94b GetModuleHandleW 157->191 192 2e0b91a-2e0b91d 157->192 163 2e0b7d4-2e0b7db 158->163 164 2e0b7c9-2e0b7d1 158->164 162 2e0b7ab-2e0b7b9 159->162 160->162 162->158 166 2e0b7e8-2e0b7f1 call 2e0aa4c 163->166 167 2e0b7dd-2e0b7e5 163->167 164->163 172 2e0b7f3-2e0b7fb 166->172 173 2e0b7fe-2e0b803 166->173 167->166 172->173 174 2e0b821-2e0b825 173->174 175 2e0b805-2e0b80c 173->175 196 2e0b828 call 2e0bc80 174->196 197 2e0b828 call 2e0bc70 174->197 175->174 177 2e0b80e-2e0b81e call 2e0aa5c call 2e0aa6c 175->177 177->174 180 2e0b82b-2e0b82e 182 2e0b830-2e0b84e 180->182 183 2e0b851-2e0b857 180->183 182->183 193 2e0b954-2e0b968 191->193 194 2e0b94d-2e0b953 191->194 192->191 194->193 196->180 197->180 198->154 199->154
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 02E0B93E
              Memory Dump Source
              • Source File: 00000000.00000002.2136935044.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2e00000_PO1038854.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 48e0224c755dd5c427301502ab4a77dd913fc56667f77398833e30ad0c3abea0
              • Instruction ID: 8d8d0f333821c32cf048a10450cc432165155cda368bf679adb435527e70a6ec
              • Opcode Fuzzy Hash: 48e0224c755dd5c427301502ab4a77dd913fc56667f77398833e30ad0c3abea0
              • Instruction Fuzzy Hash: 56813770A00B058FD724DF6AD08475ABBF1FF88708F149A2ED546D7A90DB74E886CB90
              Function 02E04DF0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 200 2e04df0-2e063b9 CreateActCtxA 203 2e063c2-2e0641c 200->203 204 2e063bb-2e063c1 200->204 211 2e0642b-2e0642f 203->211 212 2e0641e-2e06421 203->212 204->203 213 2e06440 211->213 214 2e06431-2e0643d 211->214 212->211 216 2e06441 213->216 214->213 216->216
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 02E063A9
              Memory Dump Source
              • Source File: 00000000.00000002.2136935044.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2e00000_PO1038854.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 80f526d6bf63d00d8a2cb1311bed28ba7d23e31ce5b00d034d93ae95ce70397d
              • Instruction ID: 3796f80729cda76464a0eb134362477658b8e40152325ccd6ad8995ab1393894
              • Opcode Fuzzy Hash: 80f526d6bf63d00d8a2cb1311bed28ba7d23e31ce5b00d034d93ae95ce70397d
              • Instruction Fuzzy Hash: FF41C2B1C0071DCBEB24CF99C9847DEBBB5BF48704F208169D508AB255DB756946CF90
              Function 02E062EF Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 217 2e062ef-2e063b9 CreateActCtxA 219 2e063c2-2e0641c 217->219 220 2e063bb-2e063c1 217->220 227 2e0642b-2e0642f 219->227 228 2e0641e-2e06421 219->228 220->219 229 2e06440 227->229 230 2e06431-2e0643d 227->230 228->227 232 2e06441 229->232 230->229 232->232
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 02E063A9
              Memory Dump Source
              • Source File: 00000000.00000002.2136935044.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2e00000_PO1038854.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 37644bf93107e31d2b5b0f2a11991e26ef7e2f9195bd43db20be01588465d3f0
              • Instruction ID: c868f3ce243ebf49919f47dc9f8790f0846b189f170019a464df12a90d2769d4
              • Opcode Fuzzy Hash: 37644bf93107e31d2b5b0f2a11991e26ef7e2f9195bd43db20be01588465d3f0
              • Instruction Fuzzy Hash: 8841D2B1C0071DCBEB24CFA9C9847DEBBB5BF88704F20806AD408AB255DB755946CF90
              Function 0727DC40 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 233 727dc40-727dc8e 235 727dc90-727dc9c 233->235 236 727dc9e-727dcdd WriteProcessMemory 233->236 235->236 238 727dce6-727dd16 236->238 239 727dcdf-727dce5 236->239 239->238
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0727DCD0
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: d198c8839347c90609b06e029c34b857fb7a468f4552d9edbd860fcccb992a20
              • Instruction ID: 1b8fe4dc8e31ffc648c559a36ceaa138d769b5b6b6a231cf6bc4e0197d3c9e2d
              • Opcode Fuzzy Hash: d198c8839347c90609b06e029c34b857fb7a468f4552d9edbd860fcccb992a20
              • Instruction Fuzzy Hash: 962127B190034A9FDF10CFAAC981BDEBBF5FF48310F108429E918A7240C7B89950CBA4
              Function 0727DC3E Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 243 727dc3e-727dc8e 245 727dc90-727dc9c 243->245 246 727dc9e-727dcdd WriteProcessMemory 243->246 245->246 248 727dce6-727dd16 246->248 249 727dcdf-727dce5 246->249 249->248
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0727DCD0
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: c5e3bbd31a1a958df1f99d2af94a50076023201c6a79346d1c4d32f9a7963244
              • Instruction ID: 5311b1c5380b0260b2f9db82df7493a576c13dab2afeac8632c1efa3a4408f6f
              • Opcode Fuzzy Hash: c5e3bbd31a1a958df1f99d2af94a50076023201c6a79346d1c4d32f9a7963244
              • Instruction Fuzzy Hash: C62126B591034A9FDB10CFA9C981BDEBBF5BF48310F14842AE518A7240C7B89554CBA0
              Function 0727DD28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 273 727dd28-727dd29 274 727dd51-727ddbd ReadProcessMemory 273->274 275 727dd2b-727dd2c 273->275 280 727ddc6-727ddf6 274->280 281 727ddbf-727ddc5 274->281 275->274 281->280
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0727DDB0
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: d4ac376e4031c76a8fc2f5489fef5f6bb9621e4ee6f353ce724c3c91ccd3dd9b
              • Instruction ID: 339b606b26f163132d7118ed6e410108a243ff7c602d100d2009fbd664d696e4
              • Opcode Fuzzy Hash: d4ac376e4031c76a8fc2f5489fef5f6bb9621e4ee6f353ce724c3c91ccd3dd9b
              • Instruction Fuzzy Hash: 0811EFB680024A8FEF11CFA5C8857EEBBF1EF48314F14891AD65A67251CB388451DBA1
              Function 0727DD30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 285 727dd30-727ddbd ReadProcessMemory 288 727ddc6-727ddf6 285->288 289 727ddbf-727ddc5 285->289 289->288
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0727DDB0
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 35c263e4e23a9a8cdea553d5eaff41d5ce0526b72d12a0d845842e5c26cfd23e
              • Instruction ID: 3e65ae349046c2de3ded27463db619befb707c6883f8cc99abf2bcb080f2a9ee
              • Opcode Fuzzy Hash: 35c263e4e23a9a8cdea553d5eaff41d5ce0526b72d12a0d845842e5c26cfd23e
              • Instruction Fuzzy Hash: 512116B29003499FDB10CFAAC881BDEBBF5FF48320F108429E518A7240D7789550CBA5
              Function 0727DAA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 253 727daa0-727daf3 255 727daf5-727db01 253->255 256 727db03-727db33 Wow64SetThreadContext 253->256 255->256 258 727db35-727db3b 256->258 259 727db3c-727db6c 256->259 258->259
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0727DB26
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 90b3f53f2bf5a349da6fff8052a05825febc761c896c768dda6e9bac801b27c5
              • Instruction ID: 529ff9d0575074ee59f4a7c0d6616f17b3c1815a534fbc4ac80dccfa51efe30a
              • Opcode Fuzzy Hash: 90b3f53f2bf5a349da6fff8052a05825febc761c896c768dda6e9bac801b27c5
              • Instruction Fuzzy Hash: C32139B5D0020A9FDB10DFA9C5857EEBBF4FF48314F14842AD519A7240CBB89544CFA5
              Function 0727DAA8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 263 727daa8-727daf3 265 727daf5-727db01 263->265 266 727db03-727db33 Wow64SetThreadContext 263->266 265->266 268 727db35-727db3b 266->268 269 727db3c-727db6c 266->269 268->269
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0727DB26
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: cfff19405f0dc586a21b12feb194dacecbc0be9249b387abf87d327a70449b9a
              • Instruction ID: 33194efcb028f3291f284a43f680f35a8a87cafc630c160e0c4a92d2184df2ae
              • Opcode Fuzzy Hash: cfff19405f0dc586a21b12feb194dacecbc0be9249b387abf87d327a70449b9a
              • Instruction Fuzzy Hash: 662139B19003099FDB10DFAAC5857AEBBF4AF48320F148429D519A7240CB789544CBA5
              Function 02E0DFC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 293 2e0dfc8-2e0e05c DuplicateHandle 294 2e0e065-2e0e082 293->294 295 2e0e05e-2e0e064 293->295 295->294
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E0E04F
              Memory Dump Source
              • Source File: 00000000.00000002.2136935044.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2e00000_PO1038854.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: ed2d6e281b3bff77853b01a19ffedb6ab4790d7fea562697b211c7415b2a4fc7
              • Instruction ID: 68a0a792f3946858b5f3a76780daec6e15f7a4a1e269fa66254ab319546d6da3
              • Opcode Fuzzy Hash: ed2d6e281b3bff77853b01a19ffedb6ab4790d7fea562697b211c7415b2a4fc7
              • Instruction Fuzzy Hash: 6721C4B59002499FDB10CF9AD984ADEBBF4FB48324F14841AE918A3350D375A954CF65
              Function 0727DD2E Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 298 727dd2e-727ddbd ReadProcessMemory 301 727ddc6-727ddf6 298->301 302 727ddbf-727ddc5 298->302 302->301
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0727DDB0
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 5da7155c0e55c3f2bfac92bb101b129ab0d52859a64c67fef6ed48b0f4670f2d
              • Instruction ID: 8a448b11ca3044513553b576662f06521c3cbe7fe8539221ffda403bb77ce57a
              • Opcode Fuzzy Hash: 5da7155c0e55c3f2bfac92bb101b129ab0d52859a64c67fef6ed48b0f4670f2d
              • Instruction Fuzzy Hash: 882116B29002499FDB10CFA9C981BEEBBF5BF48310F14842AE518A7250C7789550CBA0
              Function 0727DB7A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 306 727db7a-727dbfb VirtualAllocEx 309 727dc04-727dc29 306->309 310 727dbfd-727dc03 306->310 310->309
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0727DBEE
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: b04ec551414837b620715c7f9cc78b542dbf68d982456a6c9de2193603c70eac
              • Instruction ID: 6abac60a78e5ca003d819e2b9df90a3a2a5d3ba833008a89da602a29727c6fc0
              • Opcode Fuzzy Hash: b04ec551414837b620715c7f9cc78b542dbf68d982456a6c9de2193603c70eac
              • Instruction Fuzzy Hash: 02115676900249DFDB10CFAAC944BDFBBF5BF88324F24841AE619A7250C7B59550CFA0
              Function 0727DB80 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0727DBEE
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 4e57c8ecb4e192c948fad812dd3c57e1c8b8ad835ae0d91c9aef06c1d0b6e605
              • Instruction ID: 8c46c92e2313d09c0d6a01d0beac4806603cc7c5e0155c6912dcaca92104bb98
              • Opcode Fuzzy Hash: 4e57c8ecb4e192c948fad812dd3c57e1c8b8ad835ae0d91c9aef06c1d0b6e605
              • Instruction Fuzzy Hash: 4F1126729002499FDB10DFAAC945BDFBBF5AF88320F248419E519A7250CB75A550CBA1
              Function 0727D5B8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 905d55aeccb38f4f4e685bfb277567bc446bd73bd62d1f658a463e5310f777c8
              • Instruction ID: 7f5165f6307178b095d6bd88855e08958e830a9ad1e7683d2232a6a52992973a
              • Opcode Fuzzy Hash: 905d55aeccb38f4f4e685bfb277567bc446bd73bd62d1f658a463e5310f777c8
              • Instruction Fuzzy Hash: 821188B2D00349CFDB20DFAAD5457DEFBF4AF88320F20881AC119A7640CBB4A440CB95
              Function 0727D5C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 9c3fc6891e436d7b442585d885271372eb1012a3383e36cfc6bd0373ea838d31
              • Instruction ID: e54cc1566cd335c4bf3ffdb8603b9e332f692c189eaa73ef88a7973eb090865d
              • Opcode Fuzzy Hash: 9c3fc6891e436d7b442585d885271372eb1012a3383e36cfc6bd0373ea838d31
              • Instruction Fuzzy Hash: 4B1136B1D007498FDB20DFAAD4457DFFBF4AF88724F248419D519A7240CB79A940CBA5
              Function 02E0B8D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 02E0B93E
              Memory Dump Source
              • Source File: 00000000.00000002.2136935044.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2e00000_PO1038854.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: dcf28e56b25f0b5b7da0ab82954552b6a0b79680f0fa0b7580887c893f461d61
              • Instruction ID: 4f6a310c9322c77a85288abbd186f5456bfdc42917d148fc434f26e741f16184
              • Opcode Fuzzy Hash: dcf28e56b25f0b5b7da0ab82954552b6a0b79680f0fa0b7580887c893f461d61
              • Instruction Fuzzy Hash: 21110FB6C006498FDB10CF9AC444BDEFBF4BB88228F20841AD528A7240C3B9A545CFA1
              Function 07531169 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 075311CD
              Memory Dump Source
              • Source File: 00000000.00000002.2151034454.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7530000_PO1038854.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 5c55ea0be13caf2f768eb3acca532aed1abeffae5de7275310eda4d177fec167
              • Instruction ID: 4feea83b300e00397686fcef69e9fd566286d66d0c01ec0e5006ad202cdde463
              • Opcode Fuzzy Hash: 5c55ea0be13caf2f768eb3acca532aed1abeffae5de7275310eda4d177fec167
              • Instruction Fuzzy Hash: E211D3B6900649DFDB10CF99D944BDEBBF8FB48324F20841AD518A7610C3B5A644CFA5
              Function 07531170 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 075311CD
              Memory Dump Source
              • Source File: 00000000.00000002.2151034454.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7530000_PO1038854.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 45223c42c7313ad02c7ca71423fd5623e971ebd28294cdee6d8c00fce514b3f4
              • Instruction ID: f66e5727c9402cf646894e4c17d5d07a79efaddad62eee1bbac47e314ec021c3
              • Opcode Fuzzy Hash: 45223c42c7313ad02c7ca71423fd5623e971ebd28294cdee6d8c00fce514b3f4
              • Instruction Fuzzy Hash: 6611D0B58007499FDB10DF9AD985BDEBBF8FB48320F20841AE518A7210C3B5A944CFA5
              Function 0145D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136567494.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_145d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 387fbd4372d28ae4c1ec9abf5f03f6b57fc6f2e0f582ac22c9c3d41728f56abd
              • Instruction ID: ebac996a41f09e1348a49c3263f5667b8e006c052de0e4c07c2f92ad25541dae
              • Opcode Fuzzy Hash: 387fbd4372d28ae4c1ec9abf5f03f6b57fc6f2e0f582ac22c9c3d41728f56abd
              • Instruction Fuzzy Hash: 1B21E276904204DFDB45DF54D9C0B66BF65FF84324F20C16ADD090A267C336E456CAA1
              Function 0146D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136612846.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_146d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29156c97d1db12b44d4295e0edf4d42b6db64dd4f94d26b778216ce0416c4bcf
              • Instruction ID: 5455838aaceb8a2bff0c421cb2469ac21b89f9986be899d3444e4f4b0258e090
              • Opcode Fuzzy Hash: 29156c97d1db12b44d4295e0edf4d42b6db64dd4f94d26b778216ce0416c4bcf
              • Instruction Fuzzy Hash: DE214971B04300EFDB05DF94D9C0B26BB69FB84328F24C56ED9894B362C776D446CA62
              Function 0146D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136612846.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_146d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7bd707ae532108abafaa315ea28e95207881507949280a4be98ebd0308ab3fba
              • Instruction ID: cc2c02a7533280f11d8565e3e982da781cc9742752d1f045525019bd2bf5f7de
              • Opcode Fuzzy Hash: 7bd707ae532108abafaa315ea28e95207881507949280a4be98ebd0308ab3fba
              • Instruction Fuzzy Hash: C52103B5A04240DFDB15DF54D980B26BB69EB8431CF20C56ED98A0B366C376D407CA62
              Function 0146D006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136612846.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_146d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bdcd62d3f37fe6cdda05bdf54a7e130be1743f4f5ce4928580fb2ed939375383
              • Instruction ID: 815e8c054aa6dfd97082c0601409317a7313f3983d5dfce4dc31c041e2069806
              • Opcode Fuzzy Hash: bdcd62d3f37fe6cdda05bdf54a7e130be1743f4f5ce4928580fb2ed939375383
              • Instruction Fuzzy Hash: 832180755093808FCB02CF24D590716BF71EB46218F28C5DBD8898B2A7C33A980ACB62
              Function 0145D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136567494.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_145d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
              • Instruction ID: 345f477d34b35ae5e4d794e609159442605f8f9507cc6337b145e822c12f9d03
              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
              • Instruction Fuzzy Hash: 3A11C076804240CFDB06CF44D5C0B56BF61FB84214F24C2AADC090A267C33AD456CB91
              Function 0146D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136612846.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_146d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
              • Instruction ID: f16b5b81139999859a21f19c736ef1285996a561f3d1667ac4916169180334fc
              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
              • Instruction Fuzzy Hash: 9711BE75A04280DFCB12CF54C5C0B16BB61FB84228F28C6AAD8494B366C33AD44ACB52
              Function 0145D745 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136567494.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_145d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acf6a2f3b4605348e12c171345817208f67277769fbe87fde5bb4c7ae82c2ed6
              • Instruction ID: 41ddfbb984973920aeabd4eee3113ebe91f9985a4f1f996f09c4840fd6f07d8c
              • Opcode Fuzzy Hash: acf6a2f3b4605348e12c171345817208f67277769fbe87fde5bb4c7ae82c2ed6
              • Instruction Fuzzy Hash: 6001F7718043849AF7505EA9CD84B27BF98DF41324F18C51BEE084A2A7D6B99441C771
              Function 0145D744 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2136567494.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_145d000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 106222724e04b0afaabf054400fa5b4916b63fee94a3a9a0ce8145263a17e3a4
              • Instruction ID: 7f1cd0a1b75fd637ca7ece2f1411ef9f1c0c78dca084cf7ad94a27b495c48402
              • Opcode Fuzzy Hash: 106222724e04b0afaabf054400fa5b4916b63fee94a3a9a0ce8145263a17e3a4
              • Instruction Fuzzy Hash: 54F06275805384AEF7118E59D984B63FF98EF81634F18C45BED084A397C3799844CBB1

              Non-executed Functions

              Function 07272A30 Relevance: 3.9, Strings: 3, Instructions: 143COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: '<"C$'<"C$NvTt
              • API String ID: 0-1787953242
              • Opcode ID: 32877c2844f4c91b82a3410d973cc340ff6111fd2636e80eb1a37f024e4dd90a
              • Instruction ID: d423fb02c3315e0cddc05d2088e682e3202763a6d6b8cbd95bc1ddee9cfc7945
              • Opcode Fuzzy Hash: 32877c2844f4c91b82a3410d973cc340ff6111fd2636e80eb1a37f024e4dd90a
              • Instruction Fuzzy Hash: 175104B4E2121ADFCB18CFA6D5855AEFBF2BF88210F10942AE415B7354E7345A45CF50
              Function 07272A40 Relevance: 3.9, Strings: 3, Instructions: 143COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: '<"C$'<"C$NvTt
              • API String ID: 0-1787953242
              • Opcode ID: d5195d707eb223bc954190ed02aa46ff87fc8f6f4ccbd43da4f9466796f44b6c
              • Instruction ID: e7ff416463b59418f7fa31be765ea3e7dff5bf87eca2d69c944b5174c2307dd5
              • Opcode Fuzzy Hash: d5195d707eb223bc954190ed02aa46ff87fc8f6f4ccbd43da4f9466796f44b6c
              • Instruction Fuzzy Hash: 7251F2B4E2021ADFCB18CFAAD5855AEFBF2BF88210F10942AE415B7354E7345A41CF90
              Function 0727AE80 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: MHEp
              • API String ID: 0-3954723320
              • Opcode ID: e08596cde829b070b55f4c2cc2726994ce4e1bfaceda838919147d7ff2c99de4
              • Instruction ID: ef8b12db55c5a9a63eea33a1500a57ddd4e6eb8c07a73147fe33c8d35606b1d1
              • Opcode Fuzzy Hash: e08596cde829b070b55f4c2cc2726994ce4e1bfaceda838919147d7ff2c99de4
              • Instruction Fuzzy Hash: 9FE11CB4E102598FDB14DFA9C580AAEFBF2FF89304F248269D414AB355D771A942CF60
              Function 07272378 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: sX
              • API String ID: 0-3110708420
              • Opcode ID: 88191337406ab09304e7a046357b26062a00480b9d48f37272cdf4f5f6676c02
              • Instruction ID: 7fc1e724e59ba7a5800c2c1aad1e4c011c8f65cf3625c947d731182242c31f63
              • Opcode Fuzzy Hash: 88191337406ab09304e7a046357b26062a00480b9d48f37272cdf4f5f6676c02
              • Instruction Fuzzy Hash: E561E2B4E25609CFCB08CFAAC6809DEBBF2FB89210F24942AD415B7214D7749A41CB65
              Function 07272368 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: sX
              • API String ID: 0-3110708420
              • Opcode ID: e5bddcffe3a28812b0a38b1640c99c4a43d1f75d89702208745991a8b801c6fc
              • Instruction ID: 902de099bdf49aeaf43ace356fa3c4651a56707152489dd19e1c615c36dd2f9b
              • Opcode Fuzzy Hash: e5bddcffe3a28812b0a38b1640c99c4a43d1f75d89702208745991a8b801c6fc
              • Instruction Fuzzy Hash: 8761F3B4E25209CFCB08CFAAC6819DEBBF2FB89210F24942AD415B7214D3749A41CB65
              Function 072721C9 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: 4$VD
              • API String ID: 0-4229505421
              • Opcode ID: 2a29813b486057ded20365f6e1c3d4795feec36275911023b399c24ae3c1e704
              • Instruction ID: 0f0ee87564927a353d6be5481afce1f164846106df1686c49bc1f2959339495c
              • Opcode Fuzzy Hash: 2a29813b486057ded20365f6e1c3d4795feec36275911023b399c24ae3c1e704
              • Instruction Fuzzy Hash: A541F7B0E2460ADFCB08CFAAD5815AEFBF2BF89300F14D46AC415A7254D7349A42CF95
              Function 072721D8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: 4$VD
              • API String ID: 0-4229505421
              • Opcode ID: 7cca5a2f1fc706281f05c227f77f6d8520fd311b0bfb7fbb10fd5046ce7b803f
              • Instruction ID: 96c2b77634576dfcecc86113e8535bdec26235ce4d9296e93e2af37c812e6f81
              • Opcode Fuzzy Hash: 7cca5a2f1fc706281f05c227f77f6d8520fd311b0bfb7fbb10fd5046ce7b803f
              • Instruction Fuzzy Hash: AE41F8B0D2060ADBCB48CFAAD6815AEFBF6BF89300F14D52AC415B7254D7349A42CF95
              Function 072744A8 Relevance: .3, Instructions: 313COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 87a81f817c613ca13d94ac5b3941c193fd359f465471cd9a398a3d71a97ccd45
              • Instruction ID: cdca9a7a566729d8032d0be69e755097e851de47197f203ce199f9a8a5fcf275
              • Opcode Fuzzy Hash: 87a81f817c613ca13d94ac5b3941c193fd359f465471cd9a398a3d71a97ccd45
              • Instruction Fuzzy Hash: 80D107B0E24259DF8B08DFA6D68059EFBF2FF99304F14A52AD415AB224D7349942CF14
              Function 0727D670 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0913914e79851c9a323f9a01092f174c565180d5cbbfb6d33f9ce3fbe9586933
              • Instruction ID: 8db282add270e4722c865853656542597201311159110389327df28f14239f8e
              • Opcode Fuzzy Hash: 0913914e79851c9a323f9a01092f174c565180d5cbbfb6d33f9ce3fbe9586933
              • Instruction Fuzzy Hash: 09E10CB4E102598FDB14DFA9C590AAEFBB2FF89304F248259D414AB355D770A942CF60
              Function 0727B6F0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 709c2e965942232cb30ed399614310885c59919023f6421fc14970fcf988f8e2
              • Instruction ID: 3c4b1a4cb800425796f12eb80ef44c531a76ef6e67c4528f73a6b24c24b184e3
              • Opcode Fuzzy Hash: 709c2e965942232cb30ed399614310885c59919023f6421fc14970fcf988f8e2
              • Instruction Fuzzy Hash: 6DE1FCB4E102598FDB14DF99C590AAEFBF2FF89304F248269D414AB359D770A942CF60
              Function 07274498 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ddee1bba5b37ac20e3f53726d47412d68910402e598f29c4d58b65e634701b07
              • Instruction ID: 16f6d72fe43e9e50d201a43e87d0c653b70e0ecdb197750ad3600b5d45512e55
              • Opcode Fuzzy Hash: ddee1bba5b37ac20e3f53726d47412d68910402e598f29c4d58b65e634701b07
              • Instruction Fuzzy Hash: 4FD117B0E24259DFCB08DFA6DA8059EFBF2BF99304F14E52AD415AB224D7349942CF14
              Function 0727B2B8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 236ea9a58bf7a7f36a2393e67b3b1afc1ac1f60539dd83c86e6ee19d34ec6059
              • Instruction ID: 443233e8e71dfce43e8ce273706e19044b2d953d76a5a152a5134af90835c360
              • Opcode Fuzzy Hash: 236ea9a58bf7a7f36a2393e67b3b1afc1ac1f60539dd83c86e6ee19d34ec6059
              • Instruction Fuzzy Hash: A8E10BB4E102598FDB14DFA9C590AAEFBB2FF89304F248259D414AB355D770AD42CF60
              Function 0727BB28 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 69e8de910be375d8418f1104bfa62379829ef74734d4afd099b9032b39697a19
              • Instruction ID: 37e67e9fff36d786b8daf90bdcebaa73d07f3ce6cdee4d96b7560c6e5b5c9286
              • Opcode Fuzzy Hash: 69e8de910be375d8418f1104bfa62379829ef74734d4afd099b9032b39697a19
              • Instruction Fuzzy Hash: 3CE1FCB4E102598FDB14DFA9C580AAEFBF2FF89304F248269D414A7359D770A942CF61
              Function 07272F58 Relevance: .3, Instructions: 257COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49df00e95fb4a69985c4612e359d81b2c89d19317098c05c1ca0e6b2f059c850
              • Instruction ID: 6c3b36f325dac50a3d6f9155f2790aaee8d13e9c0ca10c8312ff6846c47f9123
              • Opcode Fuzzy Hash: 49df00e95fb4a69985c4612e359d81b2c89d19317098c05c1ca0e6b2f059c850
              • Instruction Fuzzy Hash: 82C11AB0E14269DFCB14DFA9D980A9EFBF6FF89300F248259D409A7255D7309941CF61
              Function 07271928 Relevance: .2, Instructions: 214COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c853748b0f2e950aa5a6edc1e330f98d8f9ce8d66217fcb46f8ba44bd49239f0
              • Instruction ID: 6973346302235fb955b744e98a24cf9dd83ee2439bfdb708403f37e0585ce6e4
              • Opcode Fuzzy Hash: c853748b0f2e950aa5a6edc1e330f98d8f9ce8d66217fcb46f8ba44bd49239f0
              • Instruction Fuzzy Hash: C99136B4E24209DBCB04CFA9D9816EEFBB2FF89310F148166D815A7314D734AA56CF94
              Function 07273013 Relevance: .2, Instructions: 211COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 042fd2d77b32e4757e9a7621b32ef3579c51323bd4635a0ff56622e5c0c9a01a
              • Instruction ID: a06fbe0afe2a837ad46ad51f9175f896431dfddf0cc186581808af13f991bca4
              • Opcode Fuzzy Hash: 042fd2d77b32e4757e9a7621b32ef3579c51323bd4635a0ff56622e5c0c9a01a
              • Instruction Fuzzy Hash: 7DA12BB4E24269CFCB10DFA9D680A9EFBF2FB89304F249259D409A7255D7309941CF61
              Function 07270F68 Relevance: .2, Instructions: 178COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5bebd8e67b86cf8ef4eebea945357beeabc919abc2bb06d3b45ffc7d051d066a
              • Instruction ID: 979c39aef7da9c1693ad1125c0d4f28339a20c232589ecebcaaadb1af14ec576
              • Opcode Fuzzy Hash: 5bebd8e67b86cf8ef4eebea945357beeabc919abc2bb06d3b45ffc7d051d066a
              • Instruction Fuzzy Hash: 4D81F1B4E21219CFCB44CFA9C68499EFBF1FF89210F249559E415AB324D734AA42CF91
              Function 07270F58 Relevance: .2, Instructions: 176COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 85c4a299da445325242809f50ad4c405a4e315940526b97801f631274a4ce0b8
              • Instruction ID: f331a6c226dc0c5c0cf25b81160e24184267d9d11a95da7331e1fcb6eaa82092
              • Opcode Fuzzy Hash: 85c4a299da445325242809f50ad4c405a4e315940526b97801f631274a4ce0b8
              • Instruction Fuzzy Hash: F671DEB4E21209CFCB44CFA9C68499EFBF1EF89210F248565E415EB324D734AA46CF91
              Function 07271B38 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d49f8ea309f20a2a594a2a5f80cf9548775683a8074dabb2c604e3415ec089b
              • Instruction ID: b9e3a0044d623448143f7c80f8dc4e7582bbc16af67e8eadb3eff6fca55da336
              • Opcode Fuzzy Hash: 8d49f8ea309f20a2a594a2a5f80cf9548775683a8074dabb2c604e3415ec089b
              • Instruction Fuzzy Hash: D26106B4E2121DCFCB04CFA9D6819AEFBB2FF89200F159559D405AB314E3709952CF94
              Function 07271B28 Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f95dc4a3bb5ca53edd8f2c19310e12bb98840a0089a6d72fe3782a64d0cfbe45
              • Instruction ID: 7f557fc959304b1b637b0ef6020a40b5500bd2f5ae629fcf9e4e03650e809585
              • Opcode Fuzzy Hash: f95dc4a3bb5ca53edd8f2c19310e12bb98840a0089a6d72fe3782a64d0cfbe45
              • Instruction Fuzzy Hash: 5061F5B4E2121ECFCB04CFA8D6819AEFBF2FF89200F259595D405A7314E7709A52CB95
              Function 072725C9 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f89af0c6892275c3062d24745570731d6a493778ccb5cdfafccee957f843020a
              • Instruction ID: d74ff044b87e20452feaa70a8b4a930ac9bcb52fdb142bef8c14f2c3ee843e28
              • Opcode Fuzzy Hash: f89af0c6892275c3062d24745570731d6a493778ccb5cdfafccee957f843020a
              • Instruction Fuzzy Hash: 7E51E5B4E2520ADBCB05CFAAD6815AEFBF2BF89300F24D56AC405B7214D7349A41CB95
              Function 072725D8 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2150815826.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7270000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10c0d328b03c4b85ac4b7b7c15933d940098ac59b5af7ca171a7870f5e8feac8
              • Instruction ID: fa2e31ee732a9b2e8afe61fdd1ccd2a773fe7872432f88ea800eaf00570dd3a7
              • Opcode Fuzzy Hash: 10c0d328b03c4b85ac4b7b7c15933d940098ac59b5af7ca171a7870f5e8feac8
              • Instruction Fuzzy Hash: 9B51F7B4E2520ADBCB04CFAAC6815AEFBF2FF89300F24D46AC405B7214D7349A41CB95

              Execution Graph

              Execution Coverage:0.8%
              Dynamic/Decrypted Code Coverage:4.7%
              Signature Coverage:8.4%
              Total number of Nodes:107
              Total number of Limit Nodes:8
              execution_graph 94937 42c0e3 94938 42c100 94937->94938 94941 1a02df0 LdrInitializeThunk 94938->94941 94939 42c128 94941->94939 95047 425253 95052 42526c 95047->95052 95048 4252ff 95049 4252b7 95050 42eb73 RtlFreeHeap 95049->95050 95051 4252c7 95050->95051 95052->95048 95052->95049 95053 4252fa 95052->95053 95054 42eb73 RtlFreeHeap 95053->95054 95054->95048 95055 42fd33 95056 42fd43 95055->95056 95057 42fd49 95055->95057 95058 42ec53 RtlAllocateHeap 95057->95058 95059 42fd6f 95058->95059 95060 424eb3 95061 424ecf 95060->95061 95062 424ef7 95061->95062 95063 424f0b 95061->95063 95064 42caf3 NtClose 95062->95064 95065 42caf3 NtClose 95063->95065 95066 424f00 95064->95066 95067 424f14 95065->95067 95070 42ec93 RtlAllocateHeap 95067->95070 95069 424f1f 95070->95069 94947 414283 94948 4142a3 94947->94948 94951 41430c 94948->94951 94952 41b9e3 RtlFreeHeap LdrInitializeThunk 94948->94952 94950 414302 94952->94950 94953 41aba3 94954 41abbb 94953->94954 94956 41ac15 94953->94956 94954->94956 94957 41ea93 94954->94957 94958 41eab9 94957->94958 94962 41ebb0 94958->94962 94963 42fe63 94958->94963 94960 41eb4e 94960->94962 94969 42c133 94960->94969 94962->94956 94964 42fdd3 94963->94964 94965 42fe30 94964->94965 94973 42ec53 94964->94973 94965->94960 94967 42fe0d 94976 42eb73 94967->94976 94970 42c150 94969->94970 94985 1a02c0a 94970->94985 94971 42c17c 94971->94962 94979 42ce03 94973->94979 94975 42ec6b 94975->94967 94982 42ce53 94976->94982 94978 42eb89 94978->94965 94980 42ce1d 94979->94980 94981 42ce2e RtlAllocateHeap 94980->94981 94981->94975 94983 42ce70 94982->94983 94984 42ce81 RtlFreeHeap 94983->94984 94984->94978 94986 1a02c11 94985->94986 94987 1a02c1f LdrInitializeThunk 94985->94987 94986->94971 94987->94971 95071 417db3 95072 417dd7 95071->95072 95073 417e13 LdrLoadDll 95072->95073 95074 417dde 95072->95074 95073->95074 94988 401ba8 94989 401c00 94988->94989 94992 430203 94989->94992 94995 42e743 94992->94995 94996 42e766 94995->94996 95005 4078a3 94996->95005 94998 42e77c 95004 401c82 94998->95004 95008 41b6d3 94998->95008 95000 42e79b 95001 42cea3 ExitProcess 95000->95001 95002 42e7b0 95000->95002 95001->95002 95019 42cea3 95002->95019 95022 416a73 95005->95022 95007 4078b0 95007->94998 95009 41b6ff 95008->95009 95033 41b5c3 95009->95033 95012 41b744 95014 41b760 95012->95014 95017 42caf3 NtClose 95012->95017 95013 41b72c 95015 41b737 95013->95015 95039 42caf3 95013->95039 95014->95000 95015->95000 95018 41b756 95017->95018 95018->95000 95020 42cebd 95019->95020 95021 42cecb ExitProcess 95020->95021 95021->95004 95023 416a90 95022->95023 95025 416aa6 95023->95025 95026 42d523 95023->95026 95025->95007 95028 42d53d 95026->95028 95027 42d56c 95027->95025 95028->95027 95029 42c133 LdrInitializeThunk 95028->95029 95030 42d5cc 95029->95030 95031 42eb73 RtlFreeHeap 95030->95031 95032 42d5e2 95031->95032 95032->95025 95034 41b6b9 95033->95034 95035 41b5dd 95033->95035 95034->95012 95034->95013 95042 42c1d3 95035->95042 95038 42caf3 NtClose 95038->95034 95040 42cb0d 95039->95040 95041 42cb1e NtClose 95040->95041 95041->95015 95043 42c1f0 95042->95043 95046 1a035c0 LdrInitializeThunk 95043->95046 95044 41b6ad 95044->95038 95046->95044

              Executed Functions

              Function 00417DB3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417E25
              Memory Dump Source
              • Source File: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_PO1038854.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: f8c0f3aef9c94af5ac5890a13dcb9a83ab1e3ff87fedb79cadc258e64543bc3b
              • Instruction ID: 7a7af7b9856f89c3fd4e954990ffc23e41ee1a07a0ddb8f3e6700b18da091ebf
              • Opcode Fuzzy Hash: f8c0f3aef9c94af5ac5890a13dcb9a83ab1e3ff87fedb79cadc258e64543bc3b
              • Instruction Fuzzy Hash: 150112B5E4020DBBDF10DAE5DC42FDEB7B89B54308F0041A6E90897241F635EB588795
              Function 0042CAF3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 32 42caf3-42cb2c call 404c23 call 42dd03 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB27
              Memory Dump Source
              • Source File: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_PO1038854.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 6cb53540c7ea946b1ba5a4a79a97e69a3689a57fe710644927e3e1f50da07631
              • Instruction ID: 45d2abd956cc72b103f40ef8a9e7e76d0b57bbc16aa4e3d8fe2f272dbf1175f9
              • Opcode Fuzzy Hash: 6cb53540c7ea946b1ba5a4a79a97e69a3689a57fe710644927e3e1f50da07631
              • Instruction Fuzzy Hash: E8E04F362546147BD110BA6AEC01FD7776CDBC5714F404419FA186B142C675B90087F4
              Function 01A02DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 47 1a02df0-1a02dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
              • Instruction ID: deb40ab89a5b528aba9c3b2524e557e55b7961feaec6c069938ddd173c0741e7
              • Opcode Fuzzy Hash: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
              • Instruction Fuzzy Hash: 8390023224140413D11171584504707100997D1281F96C412A0424558DD75A8A52A221
              Function 01A02C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 46 1a02c70-1a02c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
              • Instruction ID: 08c036d7fe9aadb34272fa107234c4482d69658f048fc41578896e15570820e4
              • Opcode Fuzzy Hash: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
              • Instruction Fuzzy Hash: 3D90023224148803D1107158840474A100597D1341F5AC411A4424658DC79989917221
              Function 01A035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 1a035c0-1a035cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
              • Instruction ID: 96ba6c4b2d6d3e3d719a8c08a3b791630517078f0efd4811a7bf73b89d405685
              • Opcode Fuzzy Hash: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
              • Instruction Fuzzy Hash: EB90023264550403D10071584514706200597D1241F66C411A0424568DC7998A5166A2
              Function 0042CE53 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 27 42ce53-42ce97 call 404c23 call 42dd03 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8D03EB6A,00000007,00000000,00000004,00000000,00417631,000000F4), ref: 0042CE92
              Memory Dump Source
              • Source File: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_PO1038854.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: e1331cc36c5945004700624128acb5afa1fdd07976f8d13c6fbc2c78a299b5af
              • Instruction ID: d85744db10bdecab0864699f22691b615d7124c726db26a9576ad4e24232d768
              • Opcode Fuzzy Hash: e1331cc36c5945004700624128acb5afa1fdd07976f8d13c6fbc2c78a299b5af
              • Instruction Fuzzy Hash: C3E092722046047BE610EF59EC41FDB73ACEFC8714F000419FA08A7241C670BD108BB4
              Function 0042CE03 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 22 42ce03-42ce44 call 404c23 call 42dd03 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(00424F1F,?,?,00424F1F,00000000,?,?,00424F1F,?,00000104), ref: 0042CE3F
              Memory Dump Source
              • Source File: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_PO1038854.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 853d8483f0a569b97e05312c38e78c3643b957040a3357300215ab518641cb18
              • Instruction ID: 4e8d72455eb196b7fd05b5b43cd6f1ce286c666e83c0fe79fcdfc952d3acb63a
              • Opcode Fuzzy Hash: 853d8483f0a569b97e05312c38e78c3643b957040a3357300215ab518641cb18
              • Instruction Fuzzy Hash: B6E092726046047BD610EF59EC42FDB73ACDFC8710F004419F908A7241C771B91087B8
              Function 0042CEA3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 37 42cea3-42ced9 call 404c23 call 42dd03 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2384523939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_PO1038854.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 18fd83222f856daeec0d0feb39f52adac9340f236ad58e71794387deb31dfb4b
              • Instruction ID: 1d7481a278b1beaf86daa700f85c17531e133debc4042f65be51d634c678f4f4
              • Opcode Fuzzy Hash: 18fd83222f856daeec0d0feb39f52adac9340f236ad58e71794387deb31dfb4b
              • Instruction Fuzzy Hash: D5E086362046147BD110FB5AEC41FD7775CDFC5715F414419FA08A7141C675BA1187F4
              Function 01A02C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 42 1a02c0a-1a02c0f 43 1a02c11-1a02c18 42->43 44 1a02c1f-1a02c26 LdrInitializeThunk 42->44
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
              • Instruction ID: 73836d67cb56048d052a7b918ce909f0157fab202904641d4b7d10109320ed03
              • Opcode Fuzzy Hash: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
              • Instruction Fuzzy Hash: 39B09B729415C5C6DA12E764560C717790077D1741F16C076D2030685F873CC5D1E275

              Non-executed Functions

              Function 01A42349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
              • Instruction ID: b64f41a8d92f1ea5856ae266012b00a4d989ede241e4412f521ec2bbd7817853
              • Opcode Fuzzy Hash: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
              • Instruction Fuzzy Hash: 42927D71604742ABE721DF29D880B6BBBE8BFC4754F04492EFA98D7251D770E844CB92
              Function 019F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • Critical section debug info address, xrefs: 01A3541F, 01A3552E
              • double initialized or corrupted critical section, xrefs: 01A35508
              • Critical section address, xrefs: 01A35425, 01A354BC, 01A35534
              • Critical section address., xrefs: 01A35502
              • 8, xrefs: 01A352E3
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354E2
              • Invalid debug info address of this critical section, xrefs: 01A354B6
              • Thread is in a state in which it cannot own a critical section, xrefs: 01A35543
              • Address of the debug info found in the active list., xrefs: 01A354AE, 01A354FA
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354CE
              • corrupted critical section, xrefs: 01A354C2
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A3540A, 01A35496, 01A35519
              • undeleted critical section in freed memory, xrefs: 01A3542B
              • Thread identifier, xrefs: 01A3553A
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
              • Instruction ID: 688fd17f129f5799e35cd85bafd9afe0c5e26eea55a6013a55372c5b9ba6f67d
              • Opcode Fuzzy Hash: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
              • Instruction Fuzzy Hash: B1819CB0E40348AFDB20CF99C845BAEBBF9BB88B15F544119F508B7281D775A945CB90
              Function 019F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A32624
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A32506
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A32498
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A32602
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A322E4
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A324C0
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A32412
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A32409
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A325EB
              • @, xrefs: 01A3259B
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 01A3261F
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
              • Instruction ID: 2345c77c5c87ea8bb34158519f3cf55298016c0f9f1e70431a698f64e9a4d9e3
              • Opcode Fuzzy Hash: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
              • Instruction Fuzzy Hash: DC0260B1D00229AFDB21DB54CD80B99B7B8AF94704F4041EAA74DA7241DB31AF84CF99
              Function 01A68B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
              • Instruction ID: 05158d8af8d4fb6823b2097af688cbfcbe60bda60e15c1e33ac98642bb71b1ca
              • Opcode Fuzzy Hash: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
              • Instruction Fuzzy Hash: 4051E1715143019FC729DF598884BABBBECFF98340F14091DEA99C7284E778D508CBA2
              Function 01A70274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
              • Instruction ID: 89198bedde5a0f615b793aabfc062058a14a07bad7ac3522cf8e64f98ffcaadc
              • Opcode Fuzzy Hash: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
              • Instruction Fuzzy Hash: 9ED1F435500685DFDB22DF69CA90AAEFBF1FF8A714F088059F54A9B252C734DA81CB14
              Function 01A489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • VerifierFlags, xrefs: 01A48C50
              • VerifierDebug, xrefs: 01A48CA5
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A48A67
              • VerifierDlls, xrefs: 01A48CBD
              • HandleTraces, xrefs: 01A48C8F
              • AVRF: -*- final list of providers -*- , xrefs: 01A48B8F
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A48A3D
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
              • Instruction ID: 0184d8bc376cd22d6ddd905045fb4e594554b6f366e8e1c80947446865a1862c
              • Opcode Fuzzy Hash: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
              • Instruction Fuzzy Hash: BA912771A46342AFD722DFA8E8C0B6B77E8BBD4714F09041CFA496B252C778AC05C795
              Function 019CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
              • Instruction ID: 2317c5a6cb15eb3e2f75c2d0c088bc592f76f178e857cd073dd0b97b08670730
              • Opcode Fuzzy Hash: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
              • Instruction Fuzzy Hash: EFA24974A0562A8FDB64CF19CD88BA9BBB5BF89704F1442EDD94DA7251DB309E80CF01
              Function 019F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
              • Instruction ID: 174b5f7e24e6eb1986d9cd5f29cead2cf17e191407b93532338a0d3b8825abea
              • Opcode Fuzzy Hash: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
              • Instruction Fuzzy Hash: 42914930F00751ABEB35EF58D984BAA7BA5BFC5B24F04012DFA087B292D7749842C790
              Function 019B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01A19A11, 01A19A3A
              • apphelp.dll, xrefs: 019B6496
              • LdrpInitShimEngine, xrefs: 01A199F4, 01A19A07, 01A19A30
              • Loading the shim user DLL failed with status 0x%08lx, xrefs: 01A19A2A
              • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 01A199ED
              • Getting the shim user exports failed with status 0x%08lx, xrefs: 01A19A01
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
              • Instruction ID: 284ab111577d2438ff7247b369dc17e5b155d5a8597ccb9b4894d1233f238b93
              • Opcode Fuzzy Hash: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
              • Instruction Fuzzy Hash: 3051D0726083049FE720DF24D991FAB77E8FFC4648F44091DF689971A5D630E949CB92
              Function 019FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 019FC6C3
              • minkernel\ntdll\ldrredirect.c, xrefs: 01A38181, 01A381F5
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 01A381E5
              • LdrpInitializeProcess, xrefs: 019FC6C4
              • Loading import redirection DLL: '%wZ', xrefs: 01A38170
              • LdrpInitializeImportRedirection, xrefs: 01A38177, 01A381EB
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
              • Instruction ID: 83acdef09fc5046844493527902c1fb025169db64a696715f35bf2a6f23b2b6a
              • Opcode Fuzzy Hash: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
              • Instruction Fuzzy Hash: A7310771748346AFC224EF68DD46E2AB7D4FFD4B10F04051CF9886B291D620ED05C7A2
              Function 019F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A3219F
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A32180
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A32178
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A321BF
              • RtlGetAssemblyStorageRoot, xrefs: 01A32160, 01A3219A, 01A321BA
              • SXS: %s() passed the empty activation context, xrefs: 01A32165
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
              • Instruction ID: 7537a82a8e131cad78672f7e74f2294a54b8d3dd5dd4ed9adf742d8944018fbc
              • Opcode Fuzzy Hash: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
              • Instruction Fuzzy Hash: FA31C436B413257BE7219B9A8D82F6A7A78DBE5A50F05405EFB08A7240D270EE00C7E1
              Function 01A0096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01A02DF0: LdrInitializeThunk.NTDLL ref: 01A02DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D74
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
              • Instruction ID: db3a4559c10a9ebeebf455f9517d55dfa66de6f5dc11ee3e399df6094bbeb9c4
              • Opcode Fuzzy Hash: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
              • Instruction Fuzzy Hash: 12427D71900705DFDB62CF28C980BAAB7F4FF44314F1445AAE989EB281D770AA85CF61
              Function 019CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
              • Instruction ID: 20205a103b5c0069b51e32b7d90af523722215402ddd40cfba7d4d7a59dd23dd
              • Opcode Fuzzy Hash: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
              • Instruction Fuzzy Hash: FDC17B7420838A8FD711CF58C544B6AB7E4BF94B04F04896EF9DA8B291E734CA49CB57
              Function 019F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 019F8421
              • LdrpInitializeProcess, xrefs: 019F8422
              • @, xrefs: 019F8591
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019F855E
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
              • Instruction ID: ed92cff31b89cc0467932bd0e709511f1b17b014bf5ab90d5ab15856e4038679
              • Opcode Fuzzy Hash: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
              • Instruction Fuzzy Hash: 6D917C71548345BFEB22EF65CD44FABBAECBF84754F40092EFA8892151E334D9048B62
              Function 019F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A321D9, 01A322B1
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A322B6
              • .Local, xrefs: 019F28D8
              • SXS: %s() passed the empty activation context, xrefs: 01A321DE
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
              • Instruction ID: 0a835d62205f6330645d97c81e1b311a562a0da3d1edc5d4c81fd69bfd3093cb
              • Opcode Fuzzy Hash: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
              • Instruction Fuzzy Hash: DCA19031901229ABDB24CF98CD84BA9B7B4BF58314F2441EAEA08A7251D730DEC0CF90
              Function 019F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
              Download Yara Rule
              Strings
              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A33456
              • RtlDeactivateActivationContext, xrefs: 01A33425, 01A33432, 01A33451
              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A33437
              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A3342A
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
              • API String ID: 0-1245972979
              • Opcode ID: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
              • Instruction ID: 243f131d549013cc928f6d38c37f8bbb8b56fba587fe89f5fcedb9d55659ea35
              • Opcode Fuzzy Hash: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
              • Instruction Fuzzy Hash: DE610336614712ABDB22CF1DC841B2AB7E5BFC0B62F15851DFA599B242D730E801CBD1
              Function 019C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A21028
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A210AE
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A2106B
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A20FE5
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
              • Instruction ID: cf49ea2d26edbecb69802858c6491c824447e7d6ddf633d60824269772b05e78
              • Opcode Fuzzy Hash: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
              • Instruction Fuzzy Hash: BA71B1719043459FCB21DF18C984F977FA8AFA4B64F50046CF9888B286D734D589CBD2
              Function 019E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01A2A9A2
              • LdrpDynamicShimModule, xrefs: 01A2A998
              • apphelp.dll, xrefs: 019E2462
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A2A992
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
              • Instruction ID: 29b56b4b114a4cf3a382bacf34119c5c1c4795421b293cfef1463fe9301a6483
              • Opcode Fuzzy Hash: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
              • Instruction Fuzzy Hash: F0316D7AB00251ABDB32DF9ED8C5E6A77B9FFC4B00F150419F905A7256D7706982C780
              Function 019D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 019D3255
              • HEAP: , xrefs: 019D3264
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019D327D
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
              • Instruction ID: 494d24020a688c57a50c2ca3789ae33d2691f9e4d6e9f1da675266b7669fc67e
              • Opcode Fuzzy Hash: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
              • Instruction Fuzzy Hash: 2492CC71A042499FDB25CF68C440BAEBBF5FF48301F18C499E959AB392D734AA41CF51
              Function 019D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
              • Instruction ID: fb8f169dad767b8a0cb5bd7f53441ebcc2ca7a25fad8f703e26dd47d4a553ee4
              • Opcode Fuzzy Hash: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
              • Instruction Fuzzy Hash: 10F1BC70A00606DFEB25DF6CC984FAAB7B5FF45304F188168E51A9B392D734E981CB91
              Function 019E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
              • Instruction ID: 3e4fbe2807b6f57ae43b1f67b5670114958cba57961209e31c1bbb68e7b301df
              • Opcode Fuzzy Hash: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
              • Instruction Fuzzy Hash: D2C280716083519FDB2ACF68C884BABBBE5AF88754F04892DE98DC7241D734D845CB93
              Function 019BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
              • Instruction ID: ccb605129c3fb1139c2ac65e5f7fafcf51a8ece649d3018d162563b04aaa1a8c
              • Opcode Fuzzy Hash: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
              • Instruction Fuzzy Hash: 74A17B759516299BDB31EF68CC88BEAB7B8EF48710F0001EAE90CA7254D7359E84CF50
              Function 019E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01A2A121
              • Failed to allocated memory for shimmed module list, xrefs: 01A2A10F
              • LdrpCheckModule, xrefs: 01A2A117
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
              • Instruction ID: 77ae6dc4c3ef1a4ae0aab7802fc19d2a2947c0aa5ab6a03d9c714508ddcc045f
              • Opcode Fuzzy Hash: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
              • Instruction Fuzzy Hash: 1671C074E00205DFDB26DFACC984AAEB7F5FB88704F18442DE90AE7652D774A942CB50
              Function 019D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-1334570610
              • Opcode ID: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
              • Instruction ID: 331df2ae0b90d322f2efa599a06d31ac53f8f64a1381f4df0d473566c6c89de1
              • Opcode Fuzzy Hash: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
              • Instruction Fuzzy Hash: 4E61C030A04301DFEB29CF28C584BAABBE5FF45704F18C559E4998F292D774E881CB91
              Function 019FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01A382E8
              • Failed to reallocate the system dirs string !, xrefs: 01A382D7
              • LdrpInitializePerUserWindowsDirectory, xrefs: 01A382DE
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
              • Instruction ID: d5e7bc19a5e2b5aa574ac5ae834d7c86faeaab756ec2484395c7620625874312
              • Opcode Fuzzy Hash: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
              • Instruction Fuzzy Hash: F641E1B5504345ABDB21EB68D984F5B77E8EF84750F00892EFA4CD32A2E774D8018B91
              Function 01A7C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A7C1C5
              • PreferredUILanguages, xrefs: 01A7C212
              • @, xrefs: 01A7C1F1
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
              • Instruction ID: 04a9232a5dae39f91e90024bad4b63b9daeab7059fc7bbf579b96edf21437f5b
              • Opcode Fuzzy Hash: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
              • Instruction Fuzzy Hash: D1416471D0020AEBDB11EFD8CC55BEEB7B8AB54714F14406AE609F7284E7749B448B90
              Function 01A54144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
              • Instruction ID: 3215c5e31ab71d4e047b34308684a7aeeea44dbe4b9e62985fc7d9a6095883c9
              • Opcode Fuzzy Hash: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
              • Instruction Fuzzy Hash: 08414771A087588BEB26DBD9C944BADBBF4FF99380F14005ADD05EB381E7348981CB51
              Function 01A44755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 01A44899
              • LdrpCheckRedirection, xrefs: 01A4488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A44888
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
              • Instruction ID: 3a17d177ecc2c47ded605573a816b5f0ff13dba7896eeb0aafde3e0fba5187b3
              • Opcode Fuzzy Hash: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
              • Instruction Fuzzy Hash: 8841AF72A047919BEB22CF6CD941B667BE4AFCDA50F190569ED48A7212E730D801CB91
              Function 019D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
              • Instruction ID: 9b0a22c22bdd872f6502125ae9f1799be72eb3827a8179c4d81eb5a87ab3a0b0
              • Opcode Fuzzy Hash: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
              • Instruction Fuzzy Hash: 6E11DF317181529FEB29CA1DC884FBAF7A6FF8062AF188159F40ACB292DB34D841C750
              Function 01A420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01A42104
              • LdrpInitializationFailure, xrefs: 01A420FA
              • Process initialization failed with status 0x%08lx, xrefs: 01A420F3
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
              • Instruction ID: a8e21f2f927a2a47cf0d54a5acc25356e3e96c28f612aa2f6f79c6824ae2fc00
              • Opcode Fuzzy Hash: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
              • Instruction Fuzzy Hash: FDF0FC356403487BEB24D74CDD46F957768FBC4B54F500069F70477281D1F0A945C691
              Function 019D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
              • Instruction ID: 6b5bb7cc6cb0ce8b02857efdfd93bfb713d3cbe4dfd6ee56169221ba1413cd87
              • Opcode Fuzzy Hash: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
              • Instruction Fuzzy Hash: 6B7159B1A0014A9FDB01DFA8C990FAEBBF8FF58704F144065E905E7251EA74EE05CBA1
              Function 019CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Exit, xrefs: 019CAA25
              • LdrResSearchResource Enter, xrefs: 019CAA13
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
              • Instruction ID: 6bec9b9bc394089ee13592f969a41ab15ef8954927d00ab98457b37e0486713c
              • Opcode Fuzzy Hash: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
              • Instruction Fuzzy Hash: C0E1A271E0421D9FEF22CF9DC940BAEBBBABF49750F14442AE945E7241E7389940CB51
              Function 01A8A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 7a0cea0dc5a66d6036798dd3bdda28ea0472c823189d47b18c12550c3928bf6d
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: A0C1CF312043429BEB25EF28C841B6BBBE5AFC4318F084A2EF696CB291D778D545CB51
              Function 01A3E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
              • Instruction ID: 7f71d8067389061673f5a8f4a7a7b972bf7aa8f37ca5f2cb1c127fcfc66437aa
              • Opcode Fuzzy Hash: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
              • Instruction Fuzzy Hash: B4613871E003199FDB26DFA9C940BAEBBF9FB88700F14406DE649EB291D731A940CB50
              Function 01A643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
              • Instruction ID: 3f8f1eb0d055d4cf7310bb183c45a5f6decabd00058bfdad9ccac46ee22398a9
              • Opcode Fuzzy Hash: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
              • Instruction Fuzzy Hash: 6B512AB1D0021DAFEF11DFA9CD84AEEBBBCEB48754F10052AE615B7290D6309E05CB60
              Function 019C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019C063D
              • kLsE, xrefs: 019C0540
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
              • Instruction ID: a69bdf3bf4ebe901e99f8e134e154f6962f112c4375989075dfe8b4536dc7344
              • Opcode Fuzzy Hash: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
              • Instruction Fuzzy Hash: B151CD79500742CBD724DF39C6446A7BBE8AF84B05F18493EE6DE87241E7309545CF92
              Function 019CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Enter, xrefs: 019CA2FB
              • RtlpResUltimateFallbackInfo Exit, xrefs: 019CA309
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
              • Instruction ID: bba06430f9a564b38d48f745625aef9221cc2bf79c5617ce9089c9e7d9c3563f
              • Opcode Fuzzy Hash: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
              • Instruction Fuzzy Hash: 6741D371A04659DFEB15CF6DC450B6E7BB4FF84B00F14446AE948DB291E3B5DA00CB52
              Function 019FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
              • Instruction ID: 1ce839a684051291af2588d3a78e53b946f3aa42daf3ca285db329796b54b820
              • Opcode Fuzzy Hash: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
              • Instruction Fuzzy Hash: 9401F4B2250744AFE312DF24CD45F1677E8E784715F01893EA64CC71A0E334D804CB46
              Function 019CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
              • Instruction ID: eda3f742bc1aef309efddea62688ce08ed8da351f77427027973d8296bf6a68c
              • Opcode Fuzzy Hash: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
              • Instruction Fuzzy Hash: 9E825D75E002198BEB25CFA9C880BEDBBB5BF48B10F14816DD99DAB291D7309941CF52
              Function 01A46420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
              • Instruction ID: c2ce1b4653ff727752f9812f2fcedb10c36501c2ae02cd8e90b005e017466b99
              • Opcode Fuzzy Hash: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
              • Instruction Fuzzy Hash: 6E918371940219AFEB21DFA5CD85FAEBBB8EF95750F104015F608BB190D775AD00CBA1
              Function 01A6E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
              • Instruction ID: 329763fb91f62ed2d03e1b8056fc7f63a4ca29f133bd8d6f082359a944cd3bf4
              • Opcode Fuzzy Hash: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
              • Instruction Fuzzy Hash: 8391AD76A00649BEDF22EBA5DC44FAFBBBEEF85740F140029F604A7250DB349905CB90
              Function 019FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
              • Instruction ID: 2fe5c63ef15f7663afb4bdd32e22ef3f88abcb89dc102d45bf27f29cd817dcec
              • Opcode Fuzzy Hash: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
              • Instruction Fuzzy Hash: 2F715EB5E0020AAFDF2ACF9DD5907ADBBB1BF88710F14812EF509A7245E7719A41CB50
              Function 01A64978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
              • Instruction ID: c748e302a0cc15eac304f3986814d8b246a465047ad6602811532346b2f52d8a
              • Opcode Fuzzy Hash: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
              • Instruction Fuzzy Hash: 2851B772D0022AEBDF15DF99D840AAEBBB9FF58B14F054129EA15BB240D7349D01CBE4
              Function 019DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
              • Instruction ID: e9d6b79b701d696cce902bd4c61ede6f6bcef5af7dd026761fca42f5ca51c496
              • Opcode Fuzzy Hash: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
              • Instruction Fuzzy Hash: CC419072508312ABD711DE79C980B6BB7ECAFC8B14F45892DFA8CDB180E674D904C796
              Function 01A3C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
              • Instruction ID: 0ea30e4ced1b1879d988e0f06e470eaa88cf7966f27cb3daa7bfdbe22bc72725
              • Opcode Fuzzy Hash: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
              • Instruction Fuzzy Hash: 574154B1D0022DABDB21DB50DD84FDEB77CAB44724F0045A6BB08B7145DB709E898FA4
              Function 01A56B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
              • Instruction ID: 9d35b4135a65e3c413f8280d6cc9fa4ecdccd45491c55d7aa3552b25a361339b
              • Opcode Fuzzy Hash: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
              • Instruction Fuzzy Hash: 14313931E047499BEB22DF69C850BFE7BB8EF54705F944028EE48AB282C775D805CB50
              Function 01A4892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A4895E
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
              • Instruction ID: 21c1f8f9057e49841ce78f1b78c9eb7bd69304d22b4bb0bd76b721dd8dd76040
              • Opcode Fuzzy Hash: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
              • Instruction Fuzzy Hash: 9901473A200A81AFE6256F99E8C4A577F69EFC5654F08001CF64143153CB746841C793
              Function 01A62000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
              • Instruction ID: 4844363f1323e3fc57afe176339367d743ccada8e91dd8d0bc2a7c00f017967f
              • Opcode Fuzzy Hash: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
              • Instruction Fuzzy Hash: E142D4356083419BE726CF68C890B6BBBE9FFC8300F08492EFA9697250D775D845CB52
              Function 01A58158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
              • Instruction ID: e3f0e1ce563c0daa36340aa59347c248691ab8e6ce5ff5f3862f03080b6fe36e
              • Opcode Fuzzy Hash: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
              • Instruction Fuzzy Hash: 7B426F75E042199FEB65CF69C841BADBBF5FF88310F188099E949EB242D7389981CF50
              Function 019D2840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
              • Instruction ID: c72292089a02d81c18c85e3a3b27f7aea075298424caad1f39418c41a424ae55
              • Opcode Fuzzy Hash: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
              • Instruction Fuzzy Hash: 8B32D070A017658BEB25CF6DC9447BEBBF2BF84304F14811DD98E9B285D775A802CB50
              Function 01A6A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
              • Instruction ID: 6dd8bcb8a39b94f8489bc0527107da9f9c336b8489a91a65f9076a1d851d4cd7
              • Opcode Fuzzy Hash: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
              • Instruction Fuzzy Hash: F722D2742046618BEB25CF2DC494372BBF9BF45300F08845ADA97EF286D739E852DB60
              Function 019C6A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
              • Instruction ID: 4c8853dcfb42837e3914c2f6908e5b22dd858974cc4a253ce7e36b0a5df95cd9
              • Opcode Fuzzy Hash: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
              • Instruction Fuzzy Hash: 8E328A71A04215CFDB25CF6CC580AAABBF5FF48700F14856EE999AB392D734E841CB91
              Function 019E4A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: 431c04eca15620ad886390ddfefb8a3892e83a4e0791b9784e3ec146f663237f
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: 8FF16271E0021A9FDF16CF99C584BAEBBF5AF48714F098129E909EB341E774E841CB60
              Function 01A5892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
              • Instruction ID: 0bfb830978cf1a229a17e3a7d6ad5fef3b18f7311949adc1044b02afde59ef7e
              • Opcode Fuzzy Hash: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
              • Instruction Fuzzy Hash: 16D12072E0860A8BDF45CF6AC841AFEB7F5AF88304F198129D955E7241E73DE905CB60
              Function 019C65D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
              • Instruction ID: c532566fc3a434e0e4f548ad4abbdf088cc1e2d4a8f30ed3ec74eb5ecada5a41
              • Opcode Fuzzy Hash: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
              • Instruction Fuzzy Hash: 8AE18A71608342CFC715CF28C190A6ABBF4FF89714F158A6DE99987351EB31E905CB92
              Function 019B8397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
              • Instruction ID: 6689197ea8e0b7be964d5004e92cfdb8a1e183dc87e91b0490899f3abef3b2dc
              • Opcode Fuzzy Hash: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
              • Instruction Fuzzy Hash: 95D1D571A00206DBDB14DF69C9C0EFA77B9BF98714F04492DE92ADB284E734D951CB60
              Function 01A48243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 71ec00295dcebc949464e42d628ab8e63218dc9811bf6ed3e20a1e9834ae24f1
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: 6DB17174A00705AFDB64DFD9D940EABBBB9FFC4304F14446EAA12A7794DA38E905CB10
              Function 019D0535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 13338309095568538e6e9967ef6b437a5ba26fc6a447b0cd61a7c74f4c0cc9ed
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: AAB11731604656AFDB11DBACC840FBEBBF6BF88300F188559E65ADB281D730EA41CB50
              Function 019C83C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
              • Instruction ID: 04915aee6204fee516a10d8725849470c2bf2104ec6f8b8854fac86e548dce04
              • Opcode Fuzzy Hash: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
              • Instruction Fuzzy Hash: 16C14874208381CFD764CF19C484BABB7E9BF98704F44496EE98987291D7B4E948CF92
              Function 019BC427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
              • Instruction ID: 41fac92d730aa2e59536d45fca5d790b30dbbde6dd466865c7db89037737473c
              • Opcode Fuzzy Hash: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
              • Instruction Fuzzy Hash: C3B18370A042668BDB25CF58C980BE9B3F5EF84710F0485EAD54EE7281EB70DD85CB21
              Function 019EE5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
              • Instruction ID: ed35095b85f398de73cba8395c3c2869f8bc023bded404daca2cf2e2530c2818
              • Opcode Fuzzy Hash: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
              • Instruction Fuzzy Hash: 16A10571E006699FEB22DB5CC948FAEBBF4BB44B14F050125EA04AB2D1D7749D41CBD1
              Function 01A00185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
              • Instruction ID: 27d69b4e4a88ea8f1daa9a107a813a1663277a6591f6581ec8eb5a1b7ef0bf18
              • Opcode Fuzzy Hash: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
              • Instruction Fuzzy Hash: BFA1F270B017169FDB26CF69EA90BAAB7B1FF94354F044029FA06972C2DB74E815CB40
              Function 01A94500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
              • Instruction ID: 2196af0d2bbee850024a66ad2106f4a2481ab6034ff233abb3b69c3f833d1f56
              • Opcode Fuzzy Hash: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
              • Instruction Fuzzy Hash: 31A1F172A14652EFDB12DF28CA80B1ABBE9FF88704F05452CF5499B651D334ED82CB91
              Function 01A92B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: ded6365bff730efa821eeb2ce180f6174dd2df8383f6b797e42bbf96fc4ba7bc
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: F3B12AB1E0061AEFDF15CFA9C880BADBBF5BF48310F14816AE914A7355D730A985CB90
              Function 01A460E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
              • Instruction ID: 38fab476df32a469295b9d8bf95c2736223dcb8b87a7b3479e76591b37fd7ddd
              • Opcode Fuzzy Hash: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
              • Instruction Fuzzy Hash: DF91A371E00216AFDF15CFA8D884BBEBFB5AF89710F154169E618EB351D734E9009BA0
              Function 019DE3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
              • Instruction ID: 3517486aa64b37b1e8f579f626bae04f76c460d0a1afa4b6a3bc5071485abd59
              • Opcode Fuzzy Hash: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
              • Instruction Fuzzy Hash: 78914532A00626CBEB25DB6CC480BBA7BA5EF94B58F05C469E90DDF291E634D901C791
              Function 01A16ACC Relevance: .2, Instructions: 226COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
              • Instruction ID: f6eb717c2aaf009a0222362ae8a69e994fb1dbc9e0f3fb08a05dc47eec94bc7e
              • Opcode Fuzzy Hash: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
              • Instruction Fuzzy Hash: A0819371E0061A9BDB14CF69D940ABEBBF9FF48700F04852EE949E7644E374D941CBA4
              Function 01A8AB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: 5727fd973f53f5d67810d25e6ffe7f4ae662e16dd3bc504475cf703e518f2bf4
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: CE818071A002099FDF19DF99C980ABEBBF2FF84310F18856AD9169B344DB74E906CB50
              Function 019FE284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
              • Instruction ID: f9ee5164adac69ea4b9001ab8c6ad6e74c1301b017fdb3bdfc6ff86e80aa8a18
              • Opcode Fuzzy Hash: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
              • Instruction Fuzzy Hash: 87819271900609AFDB25CFA9C880BEEBBF9FF88354F11442DE659A7260D770AC45CB60
              Function 019DC640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
              • Instruction ID: 9f405c87f95f024ce7e149a1d4043f782c0b693f94a9431125ca0aa5c7d8550e
              • Opcode Fuzzy Hash: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
              • Instruction Fuzzy Hash: 6A71EEB5D01265DBCB258F58C890BBEBBF0FF58710F15851EE946AB351D738A805CBA0
              Function 01A747A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
              • Instruction ID: 33fd9b155325566e988c3e6ed075eeafe1b3b379193580813c85cde31e8a5e8c
              • Opcode Fuzzy Hash: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
              • Instruction Fuzzy Hash: D871B6B5900245EFDB20DF59DE84A9AFFF8FF89300F04816AE618D7269D7318A45CB64
              Function 019D260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
              • Instruction ID: 8400c4d8451dbb8adf3eaab30230e5b5e4aff19b20627a595339245cb7084768
              • Opcode Fuzzy Hash: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
              • Instruction Fuzzy Hash: 0A71B0756046528FD322DF2CC480B6AB7E5FF84310F05C5AAE899CB352DB34E946CBA1
              Function 01A4035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 5b433e7ebdd19703d37e858e27c1f297f7af0f4d111aaf8e8aa3768cd4ec68a6
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 91714171E00619AFDB10DFA9CA44EDEBBB9FF88710F148569E605A7250DB34EA41CB90
              Function 01A562A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
              • Instruction ID: 91d9d27667cc10bb9852ab5e1b33d374d896c918b17c99c7c4e3ad90dfbbb79b
              • Opcode Fuzzy Hash: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
              • Instruction Fuzzy Hash: FD710332244B01AFE772DF18C944F5ABBB6FF40720F548528EA1A9B2E2D774E944CB50
              Function 019C8AA0 Relevance: .2, Instructions: 197COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
              • Instruction ID: 9cc6b54ac2842c05c75c9ecca26acf593434fff978c3742fffde5ddc6546d39c
              • Opcode Fuzzy Hash: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
              • Instruction Fuzzy Hash: 2D81E272A04366CFDB28CFACD484BAEB7B5BF48B10F15412ED905AB292C7759D41CB90
              Function 01A98324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0fb50695ec4cef2af911d7e7ef3210feee1c3ed0c0b39c384cbc45355e3e162b
              • Instruction ID: e7ab770a5f6057c24de448414d1b1c7177b3d167e1e728948e26a750c7d9183d
              • Opcode Fuzzy Hash: 0fb50695ec4cef2af911d7e7ef3210feee1c3ed0c0b39c384cbc45355e3e162b
              • Instruction Fuzzy Hash: C7711971E00219AFDF16DF94C985FEEBBB8FF05350F10412AE625A7290D774AA45CB90
              Function 01A7A250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
              • Instruction ID: a7f358e795dc7817c426592467be0b22778d3f5bbc9c5ec9b238e59de2a96f25
              • Opcode Fuzzy Hash: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
              • Instruction Fuzzy Hash: ED51CE72504612BFD312DE68CC84E5FB7E8EBC9750F084929BA41DB151D631EE04C7A2
              Function 01A68350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
              • Instruction ID: 5744b109b61c833fef7b2894a59d92af34aff38dc9b2bce1e9ea40890ac4263d
              • Opcode Fuzzy Hash: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
              • Instruction Fuzzy Hash: 5F51CE70900705AFD721DF6AC884A6BFBFCBF94710F10461ED296976A1C7B4A945CB50
              Function 019FE443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
              • Instruction ID: 8eb28f883d6c30608fee6ad122c3d84a42d00102ee1519c6b65c6b975828c54c
              • Opcode Fuzzy Hash: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
              • Instruction Fuzzy Hash: 34516C71600A05EFCB22EF69C984F6AB3F9FF54744F41082EE64A97261D734E941CB51
              Function 01A64180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
              • Instruction ID: 201c8dac05514133323e566a0d2a6eaddea36dfb526c615526105065b6a58fe9
              • Opcode Fuzzy Hash: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
              • Instruction Fuzzy Hash: D85166B16083429FD755DF29D880A6BBBE9BFC8208F444A2DF599C7250EB30D905CB92
              Function 019E45B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 5068d80c3ccce5cd268af678ec5caf7146d443440b67399996c5d20ce9e69265
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 60519F75E0021AABDF16DF98C444BEEBBF9AF45754F044069EA09EB240D735D944CBE0
              Function 01A4E9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: 13ded7ca9e78c9076d2d3770317b11b4f8dfcdb239a6dd8b1fd2ac0534718d12
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: B051C931D0020AEFEF21DF94C984FAEBB75BF80364F158665D51267290D7389E45CBA0
              Function 01A88B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
              • Instruction ID: f0c6c257f8a9a3ab01c944d0168fb64caedd542179f322b57026f7800da2e38d
              • Opcode Fuzzy Hash: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
              • Instruction Fuzzy Hash: 7141D4B07016119BE729FB2DC994B7FBB9AEFD0260F488219E959C7285DF3CD801C691
              Function 01A4CBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
              • Instruction ID: a01e8c6d8fbd09cdd8fa481ad2a71dd8b4b822a1d618f1337cae1580a1bd5f2d
              • Opcode Fuzzy Hash: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
              • Instruction Fuzzy Hash: 0951AF75A01216DFCB20DFA9C9C09AEBBB9FF88764B154529D54DA3309E730ED01CB90
              Function 019FA430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
              • Instruction ID: 0a74d4de6d3712af39b07b910f816bede88138a3c388f0f65362cd13ecc6ba5f
              • Opcode Fuzzy Hash: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
              • Instruction Fuzzy Hash: 8E4115B5A44241BBCB2AEF6998C0F6F3769BB95758F00042CFF0E9B352D77199018790
              Function 01A8A9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: d5052f27be3e0cb09ef7d8daa59dd11af0c886f24171fabb639e7ff2f9549b49
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: AE410871A057169FD725EF68C984A6AF7E9FF80210F09862FE95687640EB30ED14C7D0
              Function 019F01F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
              • Instruction ID: 84e2531cbd3ecd0e2a86baa07782ef84b64e08cea39b09029b93fe445cf1429f
              • Opcode Fuzzy Hash: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
              • Instruction Fuzzy Hash: 8241BF35D00215ABDB14DF98C440AEEBBBAFF88710F19811EFA19E7241D7759D41CBA4
              Function 019EEBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
              • Instruction ID: afe5fbb421da1a152e2faf2e01a08498b8eb81855b3b39486d33b96d84850fe6
              • Opcode Fuzzy Hash: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
              • Instruction Fuzzy Hash: E341B3716047029FD726DF28C884E27B7F9FF88218F004929E95BC7611EB31E8598B51
              Function 01A02750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: 56abae024badfabb1d2c25b04c5b8def08e0f6be6936ee824114b56de015d76c
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 38515975A00225CFCB15CF98C580AAEF7B2FF84710F2881A9E955E7351D774AE82CB90
              Function 019C6154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
              • Instruction ID: 351819c6244e953a25d8665d9a86209aef5f82907f9a343f5308002707c6ba13
              • Opcode Fuzzy Hash: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
              • Instruction Fuzzy Hash: A95104B09002569FDB268B68CD40BF8BBB6FF51314F0482A9E56DA73D2D7349981CF81
              Function 019C0BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
              • Instruction ID: d3c1db7bcdbc909792f5268bb454792514adb78ef574081b351ae1eff4235264
              • Opcode Fuzzy Hash: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
              • Instruction Fuzzy Hash: 5741A435E40228DBDB22DF68C940FEA77B8BF45B40F4540A9E94CAB241D7349E84CB91
              Function 01A8866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 5b0e50ede57135f5afd095d51229a17d06ab39cb13dfcb36f78a00ea428106c2
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: FD41B675B10205ABEB15FF99CD84AAFBBBAAF88744F544069E904E7341DE78DE00C760
              Function 019C0887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
              • Instruction ID: bc64ba70f3a711be5ec99ef17335750f265b4c1fa53c4b95b53d880c7010af5b
              • Opcode Fuzzy Hash: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
              • Instruction Fuzzy Hash: DE41B274600702DFE725CF28C480A66B7F9FF89714F188A6DE58E86651E731E845CB92
              Function 019EA470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
              • Instruction ID: d1b35e2baa61d06a48c36673367d9cb88808bcb996f593cad746e21e712d99fb
              • Opcode Fuzzy Hash: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
              • Instruction Fuzzy Hash: 7F41D031900215CFDB26DF6CC898BED7BF4FF58720F144565D41AAB2A2DB349941CBA0
              Function 019C8BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
              • Instruction ID: aeb1083a88d986de84458b57a5e89162985011d70eb4e42bd0b38abf587fa6f8
              • Opcode Fuzzy Hash: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
              • Instruction Fuzzy Hash: B6412536D00252DBDB28DF5CC880BAABBB5FB98B10F15802ED5069B266C335D942CF91
              Function 019B8918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
              • Instruction ID: 70e4b1e88fb0d9fe9509f0c633f6443e91736e175233efaf28458825b8fbc6da
              • Opcode Fuzzy Hash: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
              • Instruction Fuzzy Hash: F54160355083069ED712DF65C980AABB7E9FF88B54F40092EF988D7250E730DE058BA3
              Function 019BA020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 54630a0876c8b323ad24f1d56973435f75d34860acd8893b23249a1a05428897
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: A4416C31A00216EFDB21DF2D86C4BFABB71EB91755F15C06AE9498B244D637CD80CBA0
              Function 019C09AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
              • Instruction ID: 951ace7b19c7183831ab133878cbb0b5d5579603834d1fbe116112d8ead8e510
              • Opcode Fuzzy Hash: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
              • Instruction Fuzzy Hash: FF415C75600601EFD721DF18C840B26BBF8FF58B15F248A6EE48D8B251E771E942CB91
              Function 019F0710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 85028e97c728a632bb9afa8165bb0e94169597b00334b3f4ccc9b95d0bfb05d5
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: D4412C75A00705EFDB25CF98C980AAABBF9FF18700B24496DE65AD7652D330EA44CF50
              Function 019C262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
              • Instruction ID: e1f44f71b19988f9751d5931d92aaa2f37f4d91ee794fd284a6b3d96de0fd7c9
              • Opcode Fuzzy Hash: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
              • Instruction Fuzzy Hash: 8141C4B1501741DFC722EF68CA80A55B7F5FF84B11F14856EC54E9B2A2DB30A941CF52
              Function 019FC8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
              • Instruction ID: 6b1062b5f97cee60b354029833678d72d114affa5ee16acb027ebedbaed60175
              • Opcode Fuzzy Hash: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
              • Instruction Fuzzy Hash: BB316CB1A00749EFDB11CF98D540B99BBF4FB49724F2085AEE119DB251D3369942CF90
              Function 01A407C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
              • Instruction ID: e41d5cac083b93c8668d5c22a1d76cd4b06f4622cb94e2092d29c787cfebe9e8
              • Opcode Fuzzy Hash: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
              • Instruction Fuzzy Hash: 7B418C715043419FD321DF29C984B9BBBE8FFC8614F004A2EF698D7291D7709905CB92
              Function 019B80A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9c7537e80e00a28a42f944f551e6e69be3e10ec36b329546d8cce6c349b6eec
              • Instruction ID: ae9d1d3945a7df4e8179e3debf398fb3295f9972737d840957676c8188315bfb
              • Opcode Fuzzy Hash: e9c7537e80e00a28a42f944f551e6e69be3e10ec36b329546d8cce6c349b6eec
              • Instruction Fuzzy Hash: 2D41F671E06616EFDB01DF58CAC0AE8B7B9FF58760F148629D81AA7280D730ED418BD0
              Function 01A405A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
              • Instruction ID: 2f816e370878e971893e597260f0cb6a2a246115ef9391e088b87886d22c14dc
              • Opcode Fuzzy Hash: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
              • Instruction Fuzzy Hash: 3D41E3726046429FC320DF68D940BABB7E5FFC8700F14461DFA5997680E770E904D7A6
              Function 019C4859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
              • Instruction ID: 30b6f2481927e67c082cd442cca937eed622cca0b4e47e3d32e015a3d9c01418
              • Opcode Fuzzy Hash: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
              • Instruction Fuzzy Hash: 8441D5707003128BD725DF2CD8A4B66BBE9EF80F51F14452DEA898B2A1D730D951CB93
              Function 019B8B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef96301c27507a79435b4f641c6a97a078b2e19f4241e048947f24446c84ac16
              • Instruction ID: 738f4171b3dd4b03c0f7e5f1923e136d1e2436db53a6ef7a779aa9c41a3dc963
              • Opcode Fuzzy Hash: ef96301c27507a79435b4f641c6a97a078b2e19f4241e048947f24446c84ac16
              • Instruction Fuzzy Hash: 3E41A1B1E01615CFCB15DF69CA809EDB7F9FF8C720B10862ED46AA7290D734A941CB50
              Function 019D02E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 1f6ff4e997d86943c61dc316ed088f381b2a5ad87fa7251866029d9f18295934
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 18312831A00244AFDB128B6CCC44BABFFE9EF54350F088565F459D7352D674D844CBA1
              Function 01A6E3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
              • Instruction ID: 9d398e97a5ed428ba4376486e6da28ac95d0e097e6adc6f7da2890a082a5e5bb
              • Opcode Fuzzy Hash: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
              • Instruction Fuzzy Hash: 5A31B975750716ABD722DF65CC85F6B76F9EB99B50F000028F604AB2D2DAA5DD00C7E0
              Function 01A74B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
              • Instruction ID: aec3739c45abd7ba550bf62eccb7a75e33a9aba9a072ac1667b3e61b86f4f8db
              • Opcode Fuzzy Hash: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
              • Instruction Fuzzy Hash: 2A31CF326056018FC321DF19DC80E36BBE5FB89360F0A846EE9998B262D731AD45CF91
              Function 019C4260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
              • Instruction ID: 6c4730449be077f3c9698c6b2d7858e86106fa142caee89a64c52589d43e28a0
              • Opcode Fuzzy Hash: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
              • Instruction Fuzzy Hash: B441AD71200B459FD726CF28CA95FD67BE9BB89714F01882EE6998B260D774E800CB61
              Function 01A74BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
              • Instruction ID: f123588674d30f956d0c900522689faf4040636ce0b57caa50000ff10c4f67b6
              • Opcode Fuzzy Hash: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
              • Instruction Fuzzy Hash: 2B318D726046018FD320DF29CC91E3AB7E5FB88720F09456DF9599B295E730EE45CB92
              Function 01A3EB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
              • Instruction ID: baf1a7b938a97c83165ce45ee01017389a824d1c9182569427e318e6f9f18f15
              • Opcode Fuzzy Hash: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
              • Instruction Fuzzy Hash: E231D0713016869BF32B5B6DC948F697BD8BFC0B40F1D80A0BB458B6D2DB68D841C661
              Function 01A861C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
              • Instruction ID: 10354a84e86d3a877bce1f20fabb8a15bf91efb40e1e1076969a41fa8158f5e7
              • Opcode Fuzzy Hash: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
              • Instruction Fuzzy Hash: AF31C475E00156EBEB15EF98CD40FAEB7B5FB48740F4541A8E904AB284E770ED41CBA4
              Function 01A6483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
              • Instruction ID: ea070d4d19c86531c02272494d97c793495979af542b70dac0a9e94682be6ff5
              • Opcode Fuzzy Hash: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
              • Instruction Fuzzy Hash: A6316376A4012DABDF21EF54DD84BDEBBB9AB9C310F1000A5A508E7250CA30DE91CF90
              Function 019EEB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
              • Instruction ID: 24c1d27157f6b0e01543fc719a35ad3822544becf262e4e38c57642b0603fc93
              • Opcode Fuzzy Hash: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
              • Instruction Fuzzy Hash: 4131B772E00219AFDF22DFAACC44EAEBBF9EF44750F054425E519D7250D2709E008BA0
              Function 01A860B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
              • Instruction ID: 658e72164491aba80dfe4af81841915bcb858094b7efecbc929619d4088bd857
              • Opcode Fuzzy Hash: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
              • Instruction Fuzzy Hash: A131A775B40706AFEB12AFA9CC50B6EBBB9BF44754F044069E50ADB353DA70DD018B90
              Function 019C07AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
              • Instruction ID: 439f1e395659ba657a518c8a81088a25ac72fde9864eb13ecd7f821a7b302a30
              • Opcode Fuzzy Hash: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
              • Instruction Fuzzy Hash: 3031F636A04216DBC712DE28C880E6B7BE5AFD4A50F09852CFD9DA7210DA31DC018BE3
              Function 019C8550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
              • Instruction ID: bbddb57400e0449c7553dde0c4fa13378a8524806e25c857bf0d408e78b895c3
              • Opcode Fuzzy Hash: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
              • Instruction Fuzzy Hash: AC31BE716083519FE720CF1DC840B6ABBE9FF98B10F04496EE98897250D7B5ED44CB92
              Function 019FA6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 263548ba10fe4a9dc2495c4e8fef8e63bac2c8dd37bd20942e76382c26b80e1d
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 4F312AB2B04B01AFD761CF69DE40F57BBF8AB48A50F14492DA69EC3650E630E9008B60
              Function 01A6EBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
              • Instruction ID: 1b23be053ff4f1a0fcd81b63e3922f6e7f6c984f7e64c64aec7fdb47949f52a0
              • Opcode Fuzzy Hash: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
              • Instruction Fuzzy Hash: 1231ECB5509381DFCB11DF19C4808AABBF9FF89604F4489AEE4889B216D330DD45CBC2
              Function 019E438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
              • Instruction ID: c04108307856095f0778cf8707e0c2a855cc6550beb6235851c0e90097c31c2d
              • Opcode Fuzzy Hash: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
              • Instruction Fuzzy Hash: 3531E831B002059FD726DFB9C989A6E77F9BF84704F008529D50AD7254E730EA41CB91
              Function 019BCB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: 1219ef6ee10451c58a2103627177f59383832c6a4bc4fb69c807619b37160b3a
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: B5212876E0125BAADB11DFB9C941BEFBBB5AF54740F0584359E19E7340E270D900C7A0
              Function 019BC156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
              • Instruction ID: 5519da300fab26c7c238a4afe4e893d3aa6c0d376907a83f12bfaf4d3e6b4dfb
              • Opcode Fuzzy Hash: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
              • Instruction Fuzzy Hash: 45314BB55002418BDB31AF68CC84BB977B4FF90314F54C6A9DD8D9B386EA34D986CB90
              Function 01A7C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 0f09aa8d0c18abd2a567da74d448d42ac3510642f40a13569ff4f532dbc221e3
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 0B21003660065377CB15AF95CD04EBBBBB5EF90720F40841EFA5587693E634DA50C3A0
              Function 019BE420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
              • Instruction ID: 98b5df7c7256028987fb9ecfda8dc6bfb9a55cd5b1716f3f21e928ff6a530b99
              • Opcode Fuzzy Hash: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
              • Instruction Fuzzy Hash: 4E31F931A0111C9BDB31DF18CD81FEE77BEEB55B40F0104A1E649A7290D6B49E808FA1
              Function 019F4588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: bf05ec752303470b3b58b2f17e4410d9d8dfebb569cb614c7672db25815a2093
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: C1217F36A00609FBCB15DF58C984A8FBBB9FF48714F108069EE199B241D671EA058B90
              Function 019F44B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
              • Instruction ID: 105eb62d46992ed30712b91caf0b4f8953a33a09d19efb977da014bdea6f9781
              • Opcode Fuzzy Hash: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
              • Instruction Fuzzy Hash: 9221C372604745ABCB22DF58C884F6BB7E8FF88761F01491DFE589B641D730E9118BA2
              Function 019BE388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 86c523bcb0ee30c9ea566d1b53928a6edc1824dce94939de59869f1b59ef91df
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 56319A31600604EFD721CF68CA84FAAB7BAFF85754F1049A9E516CB681E730EE01CB50
              Function 01A3E609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
              • Instruction ID: cf23977f8096ea1332f31f0080f1d9864c232cb2b135dfd8f687a7d4ac5a0f89
              • Opcode Fuzzy Hash: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
              • Instruction Fuzzy Hash: 19318D79A00245DFCB14CF18C984AAEBBB5FFC4304B194459F80A9B391E771EE50CB90
              Function 01A406F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
              • Instruction ID: b250b2697fa2a88da4ffbdb4738c1aadadb7a51db4fe6667eed18bd6634bc944
              • Opcode Fuzzy Hash: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
              • Instruction Fuzzy Hash: 1221A0759005299BCF11DF59C981ABEB7F4FF88740F410069F941B7250D738AD42DBA1
              Function 01A4019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
              • Instruction ID: c9adf28f40ef8885506a8b520b5349353aca8bc7bc7a0237aad0d6d59326a9de
              • Opcode Fuzzy Hash: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
              • Instruction Fuzzy Hash: 38219CB1A00645AFD715DB6DD980F6AB7B8FF88740F144069FA04D76A1D634ED40CBA8
              Function 01A40283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
              • Instruction ID: 85c34ff20ea99cf598ced6671f3590963db2b34d450d9784affd6adc41bf6b2a
              • Opcode Fuzzy Hash: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
              • Instruction Fuzzy Hash: F921B3B29043469BD711DF69CA48F9BBBECAFD0244F084456BE84C7251D734D904D6A2
              Function 019E2835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
              • Instruction ID: c2f4aa987fa4975c5f31ea5be523fe35bf218bd8fb7453ab298318595e5f8c83
              • Opcode Fuzzy Hash: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
              • Instruction Fuzzy Hash: 50212E317456919BF723976CCD08F247BD9EF41B75F1803A4FA249BAD2D768D801C642
              Function 019FA30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
              • Instruction ID: 6bfdf8df46ac8ca7a62f581fe60af41f2a89d92211f626bc51711078800da9a2
              • Opcode Fuzzy Hash: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
              • Instruction Fuzzy Hash: 1C219879200A41AFC725DF29C840B46B7F5FF88B44F24846CA50DCBB62E371E942CB94
              Function 01A7A49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
              • Instruction ID: 36c7434a54964ea5edc1809cce117534c553c9fce94644d1875bc0884ef3b1e5
              • Opcode Fuzzy Hash: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
              • Instruction Fuzzy Hash: E0112972380B11BFE32256699C01F2F7A9DDBD4B60F194028B708CB290EB70DE018796
              Function 01A40946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
              • Instruction ID: 4e82054c36d63be822006a851918a24add10e6fc2478b51732db983f7094c6e2
              • Opcode Fuzzy Hash: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
              • Instruction Fuzzy Hash: B021E6B5E01249ABCB24DFAAD9849EEFBF8FF98700F10012EE509A7251D6709941CB64
              Function 01A580A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: e23aeb8120d663496d6ba3a3b32a43ea7e1635725e3aa2eea45feae1ea329fb3
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: B6218C72A00209EFDF129F99CC40BAEBBB9FF98310F204419FD04A7251D738D9509B50
              Function 019F0124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: a6341cd7bfeb2ea56a7a4ba945cd338da804b30bc02fbaf3265eb15f85908177
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 3A11EF72600609BFE7229F48CC80F9ABBBEEB81754F14802DF7088B190D671ED44CB60
              Function 019C8770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
              • Instruction ID: 520363b57d3946c5182971ce3b24fa57e75f76bcdb1a4efc1f8d2d345f140774
              • Opcode Fuzzy Hash: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
              • Instruction Fuzzy Hash: 1A11B2317006219FDB11CF4DC4C0A66BBEDAF8AF51B19406DEE4C9F205E6B2E9018792
              Function 019FAAEE Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction ID: e1f27fc7263d5eaff1f8b5abffabeb850232b6861aed595a54df9a54d16677c7
              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction Fuzzy Hash: 8921AC71640609EFD7259F49C540E26BBEAEF94B12F11883DEA4D87614C730ED00CB40
              Function 019C80E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
              • Instruction ID: 797e16ee788e14565faefcdcc35d4be0d1343f9e76303e758f99bee1a5761377
              • Opcode Fuzzy Hash: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
              • Instruction Fuzzy Hash: F021AE36A00206DFCB14CF98C590AAEBBF9FB88718F20456DD149AB311CB71AD06CBD1
              Function 019F674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
              • Instruction ID: cf4f3e373c0796cfa2f6bff6d48b20d71837f279296e360625c5c17cb1f85cc7
              • Opcode Fuzzy Hash: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
              • Instruction Fuzzy Hash: 21216A75610B01EFD7219F68C880F66B7E8FB84250F00882DE69EC7261DA30A850CBA0
              Function 019EE8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
              • Instruction ID: 545ede6f7d32d02a18a9aea43fed7db5ef695a499496b5adc671f9c46146b4b2
              • Opcode Fuzzy Hash: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
              • Instruction Fuzzy Hash: 19112B733041149FCF1ADB29CC85A7B72ABEFD5374B358529D92ACB291E9309C12C390
              Function 01A56870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
              • Instruction ID: feb7c18f8f234ffb2744bc2a6ca8ed67a09bab6ecd0e07a1d7ef3800160b81e2
              • Opcode Fuzzy Hash: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
              • Instruction Fuzzy Hash: D211E072244605EFD763DBADC940F9A77B8EF99B60F414025FA09DB261DA70E901C7A0
              Function 019F66B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
              • Instruction ID: 849b6ddead7b1aefe800c5543c8fc125b505861dca6d641b6dae45101263b189
              • Opcode Fuzzy Hash: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
              • Instruction Fuzzy Hash: 4D119E76A01345EFCB25CF59C580E5ABBF8AF94650B05817DDA0DAB311E630DD01CBA0
              Function 01A8A8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 05f2eddd69df082f6491ac24d1db0593c84220e719cc2cab3f85c82eaf99a11b
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: 2111C436A00915AFDB19DB58CC05F9EFBF5EF84210F058269E855E7340E675AE51CB80
              Function 019C0AD0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction ID: 590ea7e84d888740572503040febb8373df56fd8c161ce55045c39a6d95057de
              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction Fuzzy Hash: 982106B5A00B059FD3A0CF29D540B52BBF4FB48B20F10892EE98AC7B50E371E814CB90
              Function 01A4E7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: 7f98ed3a86536edf2d5283f7e5e19675b0b3fd3f34940d967f3630593fe354d9
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: 9B11AC32600601EFFF229F59C844B5ABBA5FFC5794F05842CEA499B260DB39EC40DB90
              Function 019E27ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
              • Instruction ID: 8e0e1c9a321bb2ca3e108657ca8b53140242289718e8be66c7ff800f5f19109f
              • Opcode Fuzzy Hash: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
              • Instruction Fuzzy Hash: 1D012672305645ABE317A36EDC88F677BDCEF84354F094074F9098B641D914DC00C2A2
              Function 019C4690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
              • Instruction ID: e8785e8322f2b2eb5f322138a86b7e17792826aecbb3b0b4fab85f4e84532b67
              • Opcode Fuzzy Hash: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
              • Instruction Fuzzy Hash: 34119A36301645AFEB25CF59DA90F567BA8EB96A65F00452EF98C8B250C370E840CF61
              Function 01A94B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4036801058f4e37257d3527339d42f181e2688bd7c213052a273811dd2683425
              • Instruction ID: 0f3c272c351a8838dc5c858ce866298ac7142d43875c7a93ee72338e38687f25
              • Opcode Fuzzy Hash: 4036801058f4e37257d3527339d42f181e2688bd7c213052a273811dd2683425
              • Instruction Fuzzy Hash: D111C636200A119FDF229B6DD944F57B7E5FFC9711F194419E64687650DA30A843CB90
              Function 019F6620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
              • Instruction ID: 723c9e096ddcbe47b9ae71cafc20a2000ab3201c8ebcdc8ac51f9cc955cb4139
              • Opcode Fuzzy Hash: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
              • Instruction Fuzzy Hash: 0C118276A00715BBEB22EF69C9C0B5EFBBCEF84B51F510459DA09A7201D734AE018B50
              Function 019EEA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
              • Instruction ID: 6fd5ae64e93933b0b099621cb84b1deb58b4e5c41b4c891d9df706ce25c516f6
              • Opcode Fuzzy Hash: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
              • Instruction Fuzzy Hash: 9C01D675900149AFC716DB19D448F26BBFAFBC1314F24826DE0098B272C770DC46CB94
              Function 019EE53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: adc9bb4baf8c8aa17e0648b7407e66fb94a7bc6aec172b74974ecfcf541126ca
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: D41104723026D69FEB23972CC958B253BF8FB40748F1904B0DE49CB682FB28C842C651
              Function 01A4E75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: e7008932f2dc8c49a05de19c95f1753ab4f650c9f14a1fdb60f9b531cfdc17de
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: 5001D236600106EFE721DF58C904F5ABAA9FBC0B64F058024EA499B260E779DD40C790
              Function 019BA250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 89a1031a852c9a69a0b254949126899b055b2fbcafa06ed0542e93fbc7c3b325
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: F5014931404B219BDB318F19D980AB27BF8FF55761B00892DFC9D8B281D335D400CBA0
              Function 01A94940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5052e78efd87d295a85407e2109b5e55b3237cd21879ae93f0feba6e13d8b6b9
              • Instruction ID: 7be06d6f5ee71077e4d436ed6b9f9cd6a900b26adf4dc8a4daf385f86f69c7e9
              • Opcode Fuzzy Hash: 5052e78efd87d295a85407e2109b5e55b3237cd21879ae93f0feba6e13d8b6b9
              • Instruction Fuzzy Hash: 2901D6725416019FCB36DF1CDA40E12B7E8EB99770B154255E968DB1A6D730D842C7D0
              Function 01A3E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
              • Instruction ID: bce4f9cbfed6fbcff3a59d7bed23a77ee307b3e0ef424328af59b62a55b6d538
              • Opcode Fuzzy Hash: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
              • Instruction Fuzzy Hash: ED11C032241241EFDB16EF59CD80F56BBB8FF94B54F240069F9099B6A2C235ED01CAA0
              Function 019C6259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
              • Instruction ID: cb2617d6e6c43c8950d6486f124cde56d16679b19045642abc6d55468d75dd43
              • Opcode Fuzzy Hash: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
              • Instruction Fuzzy Hash: 7711AC70902228ABDB26EF24CD42FE9B3B8BF04710F5041D9A318E61E0DB309E81CF85
              Function 019C208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: e990707d4fbbe3fad678a8b9d17905d07bfd100829ab228f3fe7c950cae5c0f9
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 5B01B5326002118FEF15DB6DD880F62776ABFC4A00F5545AAED498F24ADA719C81D791
              Function 01A46050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
              • Instruction ID: dfb675ae162d8a0d78b66e8d93f0da3119ed60724854786ddde31606dfc8bc3e
              • Opcode Fuzzy Hash: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
              • Instruction Fuzzy Hash: 9B111777900119ABCB16DB94CC84EDFBB7CEF88254F044166A90AE7211EA34AA15CBE0
              Function 01A56500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
              • Instruction ID: c715fec5c70447eb56e9ed8c16ffececffcb9ffe2a85ff790a61d263d535778e
              • Opcode Fuzzy Hash: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
              • Instruction Fuzzy Hash: 741108366841459FD301CF28C400BA1B7B5FB56308F488159EC48CB316D731EC41CBA0
              Function 01A4C810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
              • Instruction ID: 41e80aa61a09e210394f82b21d6cd6f7c332d9dd4ccc5fe12dea74a6b36bbae6
              • Opcode Fuzzy Hash: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
              • Instruction Fuzzy Hash: 9D1118B1E012199FCB00DFA9D581AAEBBF8FF58350F10806AA905E7351D674EA018BA4
              Function 01A6EA60 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
              • Instruction ID: 4e89d3970268875e34ba88a9e2fa7d266f440e09cbb9f84fc466a9d749f48b43
              • Opcode Fuzzy Hash: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
              • Instruction Fuzzy Hash: 6701D4395402519BCB32EB298440E7FBBBDFFA1A52F54842EE5495B211CB30DC42CB91
              Function 01A020F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
              • Instruction ID: 0b7d2bebd7ce74332d8c5d1141bfcd127535cd179025e3af740ecbee56d9a6c5
              • Opcode Fuzzy Hash: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
              • Instruction Fuzzy Hash: 88118C75A0130DAFDB16EFA4D954FAE7BB5FB88340F008059FA059B290DA35AE11CB90
              Function 019BC020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: e408df30e68af74910831a5d99af219ad65acf4594fe427f35855f9831e9c702
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: F501D832100B05AFEF229BBAC984FA777EDFFC5654F04881DA65A8B540DA70F542CB60
              Function 019FE5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
              • Instruction ID: 3eef11e86355183a55c912c8dff26b35d9f5108eb572a8d10026c52a44933083
              • Opcode Fuzzy Hash: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
              • Instruction Fuzzy Hash: 2C0184B26019417BD312AB79CD84E57B7ACFBD4654B004629B50D93561DB74EC11C6A0
              Function 01A569C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
              • Instruction ID: 018c4c27f836232d36d251f7532616d58cc46e4aef0ecf2adf9fa44719fb8f6f
              • Opcode Fuzzy Hash: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
              • Instruction Fuzzy Hash: 2F01D8322186029BC364DF6A9888967BBB8FF98660F514229FE5D871C0E7309901C7D1
              Function 01A4C460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
              • Instruction ID: 64b1e16662d1006f12c46b1ba87679275fed5b32231131000e8ed95b88d0aa78
              • Opcode Fuzzy Hash: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
              • Instruction Fuzzy Hash: 27116975A0220DEFDB15EFA8D944EAE7BB5FB88350F004059FD0597396DA34EA11CB90
              Function 01A4C97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
              • Instruction ID: e3d75f307426ae6f0b8b81edb9411d8bc35dd3d801c7463c81dc507e4be19aaa
              • Opcode Fuzzy Hash: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
              • Instruction Fuzzy Hash: 931179B56093089FC710DF69D441A5BBBE4FF98310F00851EBA98D7391E630E900CBA2
              Function 01A94A80 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction ID: c11d4ea50143bcc3186bdc39b2a58892359a2f065cda525d8a45b45b6c509e26
              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction Fuzzy Hash: 5301FC32200A059FDF21DB5DD944F57B7E6FFC9610F044459E6428BA50DA74F8D2C754
              Function 01A4CA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
              • Instruction ID: 72e6bea9ec0cc40e3d56ec14cdced41a1d7d0fbbdd959e1fab67bb5bd8719e67
              • Opcode Fuzzy Hash: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
              • Instruction Fuzzy Hash: 611179B16093089FC700DF69D441A5BBBE4FF99350F00852AB958D73A5E630E900CBA2
              Function 019DE016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 68c66855c465207390d7510e92723560f28c043ed53de527a78a25796501f1de
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: A20178722046809FE326875DCA58F777BECEB84B54F0D84A5FA09CB6A1D668DC40C662
              Function 019B826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
              • Instruction ID: 7b49dda6c165de3fb5e0d4e2c6f9ccb01a2fac01b815c62ba680effdced669ee
              • Opcode Fuzzy Hash: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
              • Instruction Fuzzy Hash: DC01F731700609EFD714DB6ADA849EFB7FCFF88650F054029990997640EE30FC01C690
              Function 01A6EB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
              • Instruction ID: 314c7037fe3cc7bdc235d0af51164c1df33b27c1bdc490a38644e9d31e263ea5
              • Opcode Fuzzy Hash: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
              • Instruction Fuzzy Hash: 5301A275280741AFD3319B19D980F56BABCEF55F50F11842AB60A9F3A1D6B09881CB64
              Function 019C2582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
              • Instruction ID: 902fba36787f1b0375a4580a939f714540fe2ee3e346ee3625c3f8be30524303
              • Opcode Fuzzy Hash: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
              • Instruction Fuzzy Hash: 1BF0F432B41B50BBD731DB5A8D40F57BAADEBD4EA0F01842DA60997600CA30ED01CBB1
              Function 019EC073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 8aac858227d98f440972a070cd0d8a194b05b66b753012edd9d6c21b6dde07ce
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 04F0C2B2600611ABE325CF4DDC40E57FBEEDBD1B91F058128E549C7220EA31ED04CB90
              Function 019BC310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 3fdb8fc555825e05adcf8d3ff5dbe95db0ff30a5830b501f007e9b8d56206010
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 2FF021732066339BD732565D49C0FEBA5998FD1A65F590036F20D9B204C9649D0157D1
              Function 01A9634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb2428092a43d7b58d6224d817b036605a5bfe0158f47ad936f91de98b41bbac
              • Instruction ID: 5989d90076912f78420b6fa19e0e94204ca50e33209a43e9d0b24d654fb04449
              • Opcode Fuzzy Hash: cb2428092a43d7b58d6224d817b036605a5bfe0158f47ad936f91de98b41bbac
              • Instruction Fuzzy Hash: B1014F71E10249EFDB04DFA9E551AAEB7F8FF58304F10406AF904E7391D6749A01CBA0
              Function 01A962D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d093b1303b03b05707d5f7c1a6bd23337432a4a1183c3f8f73da449d5504564
              • Instruction ID: a6d8c6929163e62bae3f4745f0e80ed700a1a8602723d902b10e5c2d826d3846
              • Opcode Fuzzy Hash: 1d093b1303b03b05707d5f7c1a6bd23337432a4a1183c3f8f73da449d5504564
              • Instruction Fuzzy Hash: 20014471E00209EFDB04DFA9E541AAEB7F8FF58304F50405AF914E7391D6749E018BA0
              Function 01A9625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fa9cbdf757f9a35cf0e40bc5341a5e1e3d6590f01e6fa33e9b3b915dc67b269
              • Instruction ID: 6df365ba5cc86319583bf28ac7be11d2f087d880db7c5e714ff0447c7527a782
              • Opcode Fuzzy Hash: 5fa9cbdf757f9a35cf0e40bc5341a5e1e3d6590f01e6fa33e9b3b915dc67b269
              • Instruction Fuzzy Hash: A4014471E10249EFCB04DFA9D551AAEB7F8FF58304F10405AF904E7391D6749A01CBA0
              Function 01A961E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
              • Instruction ID: e3eb632d8e2994d8c66a0ee140129b54dd1ae00146802e7d1251004d8c8e98e9
              • Opcode Fuzzy Hash: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
              • Instruction Fuzzy Hash: 1B018F71E012499FCF00DFA9E541EEEBBF8BF58710F14405AE504A7280DB34EA01CBA4
              Function 01A463C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: 2586f5d6039f025516ecb64d484ef52ce34b8968960896b7870379e1ea42eea8
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: D7F0127220001DBFEF019F94DD80DEF7B7DEB952D8B104125FA1592160D631DD21A7A0
              Function 01A4A4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
              • Instruction ID: 398a11bb356a5b665b58c45d049f4022be970636585be73c3ea56134242aafce
              • Opcode Fuzzy Hash: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
              • Instruction Fuzzy Hash: CB018536100249ABCF129F94D940EDE3F6AFB8C664F068105FE1A66220C332D971EF82
              Function 019BC0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
              • Instruction ID: 280e68a237539482cc1614f2d865f31da2fdb65b95f5b1b8df549589e6a0e44f
              • Opcode Fuzzy Hash: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
              • Instruction Fuzzy Hash: 4DF024712143416BF768965D8E81FB2729AF7C0752F25802AEB0D9F2C1ED71DC0187A5
              Function 019F656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
              • Instruction ID: 60c40a40263b12e1b5498329a5f34b865611667a0a1726c95c31d0d9aa3dfa52
              • Opcode Fuzzy Hash: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
              • Instruction Fuzzy Hash: 6901A474600BC1ABF323977CCD4CF2537A8BB84B00F484694BB059B6E6D768D401C711
              Function 01A6437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 6d226f6fb2dc4a19558a83810d0681c9dbd847f47e2ea04cbd3cda85d185981d
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 6FF02E35345E1357FB36AB2D8410B2FBA9E9FD4D00B05052C9605CB640DF20DC00D7D0
              Function 01A4C89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
              • Instruction ID: 2b01bcbd0c738246e95abf8eeac2b9bec4c46c5aa0c1f6121001ac2d6d4f97f2
              • Opcode Fuzzy Hash: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
              • Instruction Fuzzy Hash: 0EF0C2706063449FD310EF29C541E2BB7E4FF98720F40465AB898DB3D5E634EA01CB96
              Function 01A4E872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: 0fe664ac5e8d831850d31cab33d44ff44bc1f6384b8c634bb8ba624eedc4c20c
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: D9F05E73B116529BFB229B5ECC80F16B7B8BFD5A60F190065AA08AB260C764EC0187D0
              Function 019F0854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: 58972245c5a0259bc8c0907bb858aea46003ece7e67b7a7760069b1f8e3e06cb
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: E4F02472610204BFE314DB21CC00F86B6EEFF98710F188078A648C7160FAB1ED00C754
              Function 01A4C912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
              • Instruction ID: 13bd57e81d2526eb9fd8d5f720d147e01e27c458ec456c8520ae74405718bd8a
              • Opcode Fuzzy Hash: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
              • Instruction Fuzzy Hash: 28F06275A02249EFCB04EF69D555E6EB7B4FF58300F008065B959EB396DA34EA01CB50
              Function 019C47FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
              • Instruction ID: 2487f278a454c857f68966d68bcc2d5448bc07c9a050d407f0ee31e809fd721e
              • Opcode Fuzzy Hash: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
              • Instruction Fuzzy Hash: 3FF09031B166D19FE7228B6CC564B63BBDC9B08E21F08896ED5CD87502C724D880CA53
              Function 01A80115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
              • Instruction ID: c2851a98752c696b022c8e05988e6d3a822d12e825f7c87b2c0b9e0c507cd269
              • Opcode Fuzzy Hash: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
              • Instruction Fuzzy Hash: 51F0EC6A4167C10ADF327B3C7FE03D17F55A755130F191445E4B59721BC5748587C324
              Function 019FC5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
              • Instruction ID: eef594605b69ad28e5cbe68e9764e23c5a437b6b7bc85678e96f173a0b664856
              • Opcode Fuzzy Hash: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
              • Instruction Fuzzy Hash: 7CF0E2B191965FBFE732971CC148F55BBDCAB44BA2F08D82ED64E87612C260E881CB50
              Function 01A02619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: b3a65008cb825271ff3582130f38dc77d14fcc1a06d0c434ccc2dc9707b78af9
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 04E0D8323006012BE712AF599DC8F47776EDFD2B14F05407AB5085F292C9E2DC0982A4
              Function 01A56030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 48c704769d3f2e4209962d88cc8f9bf745694ab669a26b65ec3e8d012dce3509
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: D5F03072108204AFE3619F09D944F92B7F8EB45375F86C025EA0D9B561D379EC40CBA4
              Function 019C0710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: e91ecbd5991fffd87086d6c0d0164c3a7df80ee2f45755e50b07ab2ac2209deb
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 5AF0E53D204345DBDB1ACF1AC450AE57BA4FB45750F084458FC8A8B301D731EA81CB91
              Function 019F49D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: 5a39f2a8a9f9a4fce6747b646b8843bc4df94a125a20aae0f05f9d429e735511
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: 34E0DF32244685BBD3212A5D8800F6B7BAAEBD07A1F16482DE30C8B250DB74DC44C7E8
              Function 01A94164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 291442d27bdfe3ed1be715813f7c76b790b1441ec4611e60cf7879cb81f463e8
              • Instruction ID: 67008ae1cba2c110e04fff40bc90bde0822a9dc7818165c4978d50f45d479814
              • Opcode Fuzzy Hash: 291442d27bdfe3ed1be715813f7c76b790b1441ec4611e60cf7879cb81f463e8
              • Instruction Fuzzy Hash: F7F02BB1A257914FEF72D72CF340F5277E0AF18670F2A0564D40487912C320DCC2C650
              Function 01A6678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: 4d4c5851b4d47958b4b8a955328c2a17dd442890a2574f1193f9bd5ab2eae37c
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: A0E0DF32A00110BFEB21AB998D05F9BBEBCDB90EA0F054054B608E71E0E530EE00D790
              Function 01A908C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: a4670e120f2aba706b94b3fd1d60b8f10277bffd53776368e4a3d19a7987d2f1
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: 6BE09B727403608BCF268B2DC340A53B7ECDF95AA0F15C069EA054B612C231F8C3C6D0
              Function 019C25E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
              • Instruction ID: 4d622e5607a10a8d0b72f3618d2acc48a380f073cf9224f2af9c2099fd4b2986
              • Opcode Fuzzy Hash: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
              • Instruction Fuzzy Hash: A7E0D872100A949BC322FF29DD15F8B779AEFA0764F014519F159571A1CB34AD10C7D4
              Function 01A7A456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: 426f099100687ffbc369572af9db63b1252df62ea177cc8fb1ce6d0105ac7d2a
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: F4E01A31010A52EFE7366F2ADD5CB56BBE5BFA0711F18CC2DA19A124B1C7B699C1CA40
              Function 01A44000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 6cf55c0cefb573d0ef7edc112d377cf0c929667e2007cc56049ff4c61e4d49ad
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 3CE0C2343003058FE715CF19C040B627BB6BFD9A20F28C068A9488F205EB37E852CB40
              Function 019FCA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
              • Instruction ID: b15f50e31464df9ff593eb59db2632aedeaea107ffc8c502270c7379a66c1189
              • Opcode Fuzzy Hash: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
              • Instruction Fuzzy Hash: 98D02B325810717ACB37F119BC08F933A9D9B80220F06CC64F30C92121D564FC8593D4
              Function 019B823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 04751b5c4c0f41a56cb93a6d5242ce21906c9ce2e642604f9ee4499cd95aa59e
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 03E0CD31400A11DFD7323F26DE44F9176A9FF58B51F144C1EE189150A8C7745C81CB54
              Function 019C2050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
              • Instruction ID: ee9cda239281693e7ed723aad0e9892f6d64002c04d655313d3d8f11586432ff
              • Opcode Fuzzy Hash: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
              • Instruction Fuzzy Hash: C1E0C2332005A06BC311FB6DDD60F8A739EEFE4A60F004125F199972A0CA20AD01C795
              Function 019F8A90 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction ID: 5d6b13eb1414845c7c5691ad73775eac6052ce38044627743918a904c429e04c
              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction Fuzzy Hash: D6E08633111A1497C728DE18D515B7277A8EF45720F09463EA61747780C534E548C794
              Function 01A16AA4 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction ID: 482ab9901f828ae268c03ab023bda5501073e86d806427c5f19c76977828a6ca
              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction Fuzzy Hash: E6D05E36511A50AFC3329F1BEA00C13BBF9FBC4A51705062EA54983924C670A806CBA0
              Function 019FE59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 47676140fd1bc10dbdbb512617677f24a00faaad7ac703acedce7efcfbb6be0f
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: ECD0A932614A20ABD732AB2CFC00FC333E8BB88721F060459B008C7050C3A0AC81CA84
              Function 01A3E908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: a282679e3b7a487ded2a4a8db6b1487154c6b873480abee7b840efcc22c51030
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 9BE0EC759506849BDF12DF59D640F5ABBB9BBD4B40F150058B548AB661C624A900CB40
              Function 019BA0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: dd727162ac315d72c423517f2b9c99346c905c92e42aae54e4090a7affb2e3a0
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 12D0223222607093CB2857656A40FA36909EBC1A91F0A002D780EA3800C0058C42C2E0
              Function 019FA830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: bdffbe8ee926f8a00cc6ffcf84c29b5cbeb116d6ada30ef340c2d1f973b44f08
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: 33D012771E054DBBCB119F66DC01F957BA9E7A4BA0F448020B908875A0C63AE950D584
              Function 019FCA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
              • Instruction ID: 59ad234a01710130f24b19a403913b5dee600be32cceb3b122736a128067be61
              • Opcode Fuzzy Hash: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
              • Instruction Fuzzy Hash: 7FD0A734951105DBDF1ACF18C520E2E3674FB50641B40406CF70451422E329EC01C700
              Function 019FC700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 29ebfb9d0ea561d293538cf252646000af9db9149072b5384f51699fe11d0233
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: F3C01232150644AFC7119B95CD01F0177A9E798B40F004021F60447570C531E910D644
              Function 019E0310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: b81f6e6228eb216722d2caa64cc63300720c1693db0aa58bb94191cd9780c0b8
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: E6D01236200249EFCB02DF41C890D9A776AFBD8710F149019FD19076118A75ED62DA50
              Function 019C0750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 476964f3ac39e042c218edc967f8645dec62a72671c34b0a617a22792781d7d3
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: FDC048B9701A428FCF16DB2ED694F5977E8FB84741F154890E809CBB22E624E901CA11
              Function 01A04340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
              • Instruction ID: 90a67dc84f7443a3187427702e2ce36bdb66b3a6b91323f07ce66ca6b4c50c0b
              • Opcode Fuzzy Hash: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
              • Instruction Fuzzy Hash: 48900232645800139140715848845465005A7E1341F56C011E0424554CCB188A565361
              Function 01A04650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
              • Instruction ID: e923d445d9671b0cbc2680af7410aa89fb95eb0286986b9700694128ddb38d94
              • Opcode Fuzzy Hash: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
              • Instruction Fuzzy Hash: 5C900262641500434140715848044067005A7E2341796C115A0554560CC71C89559369
              Function 01A02BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
              • Instruction ID: ea52d1b6f93d6e1c3c67a6e31ca4173957c2b84a032e428277294e672d8be0e1
              • Opcode Fuzzy Hash: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
              • Instruction Fuzzy Hash: 9390023264540803D15071584414746100597D1341F56C011A0024654DC7598B5577A1
              Function 01A02B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
              • Instruction ID: edaed866382397cab54567f0484b2fec293bb1949f1b56a7768a35c0c13f0649
              • Opcode Fuzzy Hash: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
              • Instruction Fuzzy Hash: F190023224140803D10471584804686100597D1341F56C011A6024655ED76989917231
              Function 01A02BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
              • Instruction ID: 19644b899d94b34082bf2a32823c1fed8d898c60811e08361ae83cd18d987f60
              • Opcode Fuzzy Hash: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
              • Instruction Fuzzy Hash: 4290023224544843D14071584404A46101597D1345F56C011A0064694DD7298E55B761
              Function 01A02BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
              • Instruction ID: 874aa16f6e2c65a35b322f53d57b132e1bda51902d1d5760cd5858f015bd1cdc
              • Opcode Fuzzy Hash: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
              • Instruction Fuzzy Hash: 1290023224140803D1807158440464A100597D2341F96C015A0025654DCB198B5977A1
              Function 01A02B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
              • Instruction ID: c83dc4205a9ccc2488157488bce9782db904f394fe0b48f070175f04bc6e7173
              • Opcode Fuzzy Hash: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
              • Instruction Fuzzy Hash: 9F90026224240003410571584414616500A97E1241F56C021E1014590DC62989916225
              Function 01A02AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
              • Instruction ID: 506d58333e8f20bd3b37c530c3da58df85f81207b801a484e840c7a38e128481
              • Opcode Fuzzy Hash: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
              • Instruction Fuzzy Hash: AE9002A2241540934500B2588404B0A550597E1241F56C016E1054560CC62989519235
              Function 01A02AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
              • Instruction ID: b3bf212deb2804132673b6437ed2a72ff9bc1ceda215decd8688b13b2d77b284
              • Opcode Fuzzy Hash: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
              • Instruction Fuzzy Hash: EB900226261400030145B558060450B1445A7D7391796C015F1416590CC72589655321
              Function 01A02AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
              • Instruction ID: 8ac0d7d99754cafcd714c2f0cb3de11a9441cb57fd7c1d173466406975f0566b
              • Opcode Fuzzy Hash: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
              • Instruction Fuzzy Hash: AD900437351400030105F55C07045071047D7D73D1757C031F1015550CD735CD715331
              Function 01A02DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
              • Instruction ID: f75557a43c5a2d002eb99f3932c69ea744233197c77d0ab437034ea51b81a5c1
              • Opcode Fuzzy Hash: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
              • Instruction Fuzzy Hash: AE90023228140403D141715844046061009A7D1281F96C012A0424554EC7598B56AB61
              Function 01A02DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
              • Instruction ID: d99e4d556c6a9cdc856b84c28b455678babd248c23eb017ecb910e8c47697bf5
              • Opcode Fuzzy Hash: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
              • Instruction Fuzzy Hash: B9900222282441535545B15844045075006A7E1281B96C012A1414950CC62A9956D721
              Function 01A02D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
              • Instruction ID: 170774d2fdab3f11ef6338a47f6a207c798833e9629073896544c5897c613966
              • Opcode Fuzzy Hash: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
              • Instruction Fuzzy Hash: B890022234140003D140715854186065005E7E2341F56D011E0414554CDA1989565322
              Function 01A02D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
              • Instruction ID: c34ee3ac1dae34c26e5db54f20defcbc5d355b7cf9f59b6f49923d7c9bea2e87
              • Opcode Fuzzy Hash: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
              • Instruction Fuzzy Hash: 7D90022224544443D10075585408A06100597D1245F56D011A1064595DC7398951A231
              Function 01A02D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
              • Instruction ID: d525fc487d69fb43ae231e02890b6c07c6b4a8c247019a13064747e8575de5e9
              • Opcode Fuzzy Hash: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
              • Instruction Fuzzy Hash: 8890022A25340003D1807158540860A100597D2242F96D415A0015558CCA1989695321
              Function 01A02CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
              • Instruction ID: 0b1a728b53161a0bfb8c1501ec84c94b14e8c3bdabae776d1632b5ce5983dd05
              • Opcode Fuzzy Hash: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
              • Instruction Fuzzy Hash: C290023224140403D10075985408646100597E1341F56D011A5024555EC76989916231
              Function 01A02CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
              • Instruction ID: fba860630d9f5793ee7a3d1502b4a57780638f9e8494474f16c7d325484df5de
              • Opcode Fuzzy Hash: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
              • Instruction Fuzzy Hash: C590043334140403D100715C550C7071005D7D1341F57D411F043455CDD75FCD517331
              Function 01A02CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
              • Instruction ID: 9b1b9c8c4443fb5f7444df9518223fd280187523006a64cbff8827583588efe7
              • Opcode Fuzzy Hash: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
              • Instruction Fuzzy Hash: AA90043374540403D140715C541C7071015D7D1341F57D011F0034554DC75DCF5577F1
              Function 01A02C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
              • Instruction ID: 97b6e7111af2c9dbe8f7a910e5c05cf13c01d1f6e701ec7b53e9bc3afb013f94
              • Opcode Fuzzy Hash: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
              • Instruction Fuzzy Hash: 9490023224140843D10071584404B46100597E1341F56C016A0124654DC719C9517621
              Function 01A02FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
              • Instruction ID: 635f7fe818517e6be1c891b5c4bb7d97e39c42341fe9a2cfa895bcd7f7f1de65
              • Opcode Fuzzy Hash: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
              • Instruction Fuzzy Hash: 0390023224180403D10071584808747100597D1342F56C011A5164555EC769C9916631
              Function 01A02FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
              • Instruction ID: 40358e65688e7b5c5262e208c0e9f9744e0546413a04880f1e5e1b09f27b82bc
              • Opcode Fuzzy Hash: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
              • Instruction Fuzzy Hash: 82900222641400434140716888449065005BBE2251B56C121A0998550DC65D89655765
              Function 01A02F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
              • Instruction ID: 3eaa780ce4d1c5a520403ea5c58b05b1dc062c1101ca4021f7a0e7da6be5297b
              • Opcode Fuzzy Hash: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
              • Instruction Fuzzy Hash: 5690023224180403D1007158481470B100597D1342F56C011A1164555DC72989516671
              Function 01A02FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
              • Instruction ID: 7819f59c16a8da4e790aaf55fb8d5e362794c213c1670085306a89517675a24c
              • Opcode Fuzzy Hash: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
              • Instruction Fuzzy Hash: 13900222251C0043D20075684C14B07100597D1343F56C115A0154554CCA1989615621
              Function 01A02F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
              • Instruction ID: 2d56d80b5f2d5232da9549e593bca5a99c5b8e0b7add4c4b8b40495e60cf59c6
              • Opcode Fuzzy Hash: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
              • Instruction Fuzzy Hash: 3B90026238140443D10071584414B061005D7E2341F56C015E1064554DC71DCD526226
              Function 01A02F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
              • Instruction ID: 56023c8db798a4ef9ede6af732989e780d5b3688fa80c8203d18e4a3e9460dcc
              • Opcode Fuzzy Hash: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
              • Instruction Fuzzy Hash: 4C90026225140043D10471584404706104597E2241F56C012A2154554CC62D8D615225
              Function 01A02EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
              • Instruction ID: 00c254e5cfcbff604aaa89af8484f0707324fac0d1aa55296534d2e69258432c
              • Opcode Fuzzy Hash: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
              • Instruction Fuzzy Hash: 5390047334140403D140715C44047471005D7D1341F57C011F5074554FC75DCFD57775
              Function 01A02E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
              • Instruction ID: 18888cc4c451fd890fe7a304c225e3b5cc58d5f5b300dcef7cc691257f269e79
              • Opcode Fuzzy Hash: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
              • Instruction Fuzzy Hash: 9490022264140503D10171584404616100A97D1281F96C022A1024555ECB298A92A231
              Function 01A02EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
              • Instruction ID: 7b45f876e3767bcdd980c0a44746d7590adfe92e5959521fca1886e48832c000
              • Opcode Fuzzy Hash: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
              • Instruction Fuzzy Hash: 2B90026224180403D14075584804607100597D1342F56C011A2064555ECB2D8D516235
              Function 01A02E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
              • Instruction ID: 846590e0f2fc962c162de18efef2f06a8b3f3814b7c9751288d83973dced10b4
              • Opcode Fuzzy Hash: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
              • Instruction Fuzzy Hash: 5590022234140403D102715844146061009D7D2385F96C012E1424555DC7298A53A232
              Function 01A03090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
              • Instruction ID: 70b17d49062cbf266e99895ec66fe7102b7a9b1083e090375c6850e08da888f9
              • Opcode Fuzzy Hash: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
              • Instruction Fuzzy Hash: 5C90022228140803D140715884147071006D7D1641F56C011A0024554DC71A8A6567B1
              Function 01A03010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
              • Instruction ID: e48f8a44f119dc5fb37d7f82f653ac3b85e6ae180d8c4b8a1b1ca36065a20ca9
              • Opcode Fuzzy Hash: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
              • Instruction Fuzzy Hash: 0F90022224184443D14072584804B0F510597E2242F96C019A4156554CCA1989555721
              Function 01A039B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
              • Instruction ID: c9ed6cda0e04fd6794def4874f1bcb457587acb7718aa3155431c961f61c45a4
              • Opcode Fuzzy Hash: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
              • Instruction Fuzzy Hash: A190022228545103D150715C44046165005B7E1241F56C021A0814594DC65989556321
              Function 01A03D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
              • Instruction ID: 1e178dda137b0e2af6909a979321e324cf9d7ca17633fa61a22ee22715e95e36
              • Opcode Fuzzy Hash: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
              • Instruction Fuzzy Hash: 5890023224240143954072585804A4E510597E2342F96D415A0015554CCA1889615321
              Function 01A03D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
              • Instruction ID: 7eced7b90e06c77cf750e287a964ed6d5252b6ef29d6ed26d1dfbbed68d7b675
              • Opcode Fuzzy Hash: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
              • Instruction Fuzzy Hash: C090023624140403D51071585804646104697D1341F56D411A0424558DC75889A1A221
              Function 01A02C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 52e978578e077edba0831d1192d802e0eff8b2011b161982e00cd0f8527f42b5
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01A02890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
              • Instruction ID: 46f654ec0581af69eb8125e9d5d5683bb325728fd9ac41ba0efa6c19fd121ee5
              • Opcode Fuzzy Hash: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
              • Instruction Fuzzy Hash: 4F510AB5A00216BFDB13DBAC9984A7EFBB8BB48340714816AF599D3681D334DF4487E0
              Function 01A72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
              • Instruction ID: af0474d106ca58dac6a1d8a70a127a56087aaf9aaebfa7216e3258d065444d66
              • Opcode Fuzzy Hash: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
              • Instruction Fuzzy Hash: 0351E775A00645AEDB30DF6CCD90A7FBBF9EB44200B04846BF59AD7642E674EB408760
              Function 019F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A346FC
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A34725
              • ExecuteOptions, xrefs: 01A346A0
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A34742
              • Execute=1, xrefs: 01A34713
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A34655
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01A34787
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
              • Instruction ID: 660ba29c23666c8fbbb86a3962f85e168db890a60ec2ace250fe59af2f838236
              • Opcode Fuzzy Hash: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
              • Instruction Fuzzy Hash: B25128316002197BEF25ABE8EC85FAA77BCAF58305F0400ADE709A71D1E7719A458F51
              Function 01A96940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction ID: 5cfc98526af225bf66ed0a71c961fffa7f6403347a9d23c665b0a6756f8c15bb
              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction Fuzzy Hash: A9021571508342AFDB05CF28C590A6BBBF5EFC8704F04892DF9999B264DB31E985CB52
              Function 01A0B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: c075bf17525724de2f2cf6854a49e987d4cc26c8aac243e0bc1016a04e5fdda9
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 2E81B138E062498EEF2BCF6CEA507BEBBB1AF45310F1C4559D851A72D1C73499408B71
              Function 01A720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
              • Instruction ID: 7d8d14bd58121c674941eb05248833b5c00fb2b0984de0c38ba8be1404775d3d
              • Opcode Fuzzy Hash: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
              • Instruction Fuzzy Hash: 0121627AA00259ABDB11DF79ED40AFEBBF8FF54650F040126EA45E3241E730DA018BA1
              Function 019EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A302BD
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A302E7
              • RTL: Re-Waiting, xrefs: 01A3031E
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
              • Instruction ID: bfd79673e99b809377f634e424c53fe81ec60ba13ac740b3f286ae6bb1bd8d07
              • Opcode Fuzzy Hash: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
              • Instruction Fuzzy Hash: 0FE1C0306047419FE726CF28C988B2ABBE4BF88714F140A5EF5A9CB2E1D775D945CB42
              Function 019FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Resource at %p, xrefs: 01A37B8E
              • RTL: Re-Waiting, xrefs: 01A37BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A37B7F
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
              • Instruction ID: efef770dc234e9771f9c56b044d9ad82039aa1fa306a45e1f439633180195512
              • Opcode Fuzzy Hash: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
              • Instruction Fuzzy Hash: 0541EF35704702AFD725DE29C940F6AB7E5EF88721F000A1DFA5B9B680DB31E8058B91
              Function 019FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A3728C
              Strings
              • RTL: Resource at %p, xrefs: 01A372A3
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A37294
              • RTL: Re-Waiting, xrefs: 01A372C1
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
              • Instruction ID: 321849633cfeaaa6104f575f7c995d35dc6b52135d84f052f99b0112f99bea31
              • Opcode Fuzzy Hash: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
              • Instruction Fuzzy Hash: 3C410271700202AFD721CFA9CD41F6AB7A5FB94B10F10061DFA5AAB280DB30F8568BD1
              Function 01A72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
              • Instruction ID: d6bb77e1c5bb1cee5d18388460ac23e4fd2360a9d484350ca1b5140f32194c62
              • Opcode Fuzzy Hash: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
              • Instruction Fuzzy Hash: 4D319372A002199FDB20DF2DDD40BEEB7F8FF54610F44455AE949E3240EB30AB448BA0
              Function 01A07D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: 415167690a4b68f5e0e6cb0a09056a60b43caef496bb5da04675d4b2ab1bb369
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 5491B2B1E002169BEF26DFADE8806BEBBB5AF44320F54451EE995E72C0D734AD40CB51
              Function 019C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
              • Instruction ID: 79ecee8af4586b4101e0e72824e0f786931a1bfa7916fc84086cdaad4b079968
              • Opcode Fuzzy Hash: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
              • Instruction Fuzzy Hash: 07812B76D002699BDB31CB58CC45BEABBB8AB48714F0441EAEA0DB7240D7705E85CFA1
              Function 01A4CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 01A4CFBD
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2385119811.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_1990000_PO1038854.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4Cw@4Cw
              • API String ID: 4062629308-3101775584
              • Opcode ID: 681b661876d3bf33a61296d98201e16341f92bd75f080bd65c7424eac5e0c4b8
              • Instruction ID: 1b8314ec3469a3c592fcdf243b30aafc78b0ab9dd9be618493afeb75866a033c
              • Opcode Fuzzy Hash: 681b661876d3bf33a61296d98201e16341f92bd75f080bd65c7424eac5e0c4b8
              • Instruction Fuzzy Hash: F141D175900255EFCB21DFE9C880AADBBF8FFA4B10F00442AE90ADB265D734C901CB65