Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vTHGfiwMDeoOH5a.exe

Overview

General Information

Sample name:vTHGfiwMDeoOH5a.exe
Analysis ID:1527610
MD5:3aa5992e9a518e4d1a7042a16b10e31d
SHA1:5bce77192abbf2a71a2b19d6b00f08685f569b64
SHA256:cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vTHGfiwMDeoOH5a.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe" MD5: 3AA5992E9A518E4D1A7042A16B10E31D)
    • powershell.exe (PID: 4928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4304 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • vTHGfiwMDeoOH5a.exe (PID: 5328 cmdline: "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe" MD5: 3AA5992E9A518E4D1A7042A16B10E31D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f613:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c270:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x142bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: vTHGfiwMDeoOH5a.exe PID: 6640JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e813:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16862:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f613:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", ParentImage: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe, ParentProcessId: 6640, ParentProcessName: vTHGfiwMDeoOH5a.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", ProcessId: 4928, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", ParentImage: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe, ParentProcessId: 6640, ParentProcessName: vTHGfiwMDeoOH5a.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", ProcessId: 4928, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", ParentImage: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe, ParentProcessId: 6640, ParentProcessName: vTHGfiwMDeoOH5a.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe", ProcessId: 4928, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: vTHGfiwMDeoOH5a.exeVirustotal: Detection: 36%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: vTHGfiwMDeoOH5a.exeJoe Sandbox ML: detected
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: vTHGfiwMDeoOH5a.exe, 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vTHGfiwMDeoOH5a.exe, vTHGfiwMDeoOH5a.exe, 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1737733029.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0042C8B3 NtClose,3_2_0042C8B3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552B60 NtClose,LdrInitializeThunk,3_2_01552B60
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01552DF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01552C70
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015535C0 NtCreateMutant,LdrInitializeThunk,3_2_015535C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01554340 NtSetContextThread,3_2_01554340
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01554650 NtSuspendThread,3_2_01554650
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552BF0 NtAllocateVirtualMemory,3_2_01552BF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552BE0 NtQueryValueKey,3_2_01552BE0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552B80 NtQueryInformationFile,3_2_01552B80
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552BA0 NtEnumerateValueKey,3_2_01552BA0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552AD0 NtReadFile,3_2_01552AD0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552AF0 NtWriteFile,3_2_01552AF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552AB0 NtWaitForSingleObject,3_2_01552AB0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552D10 NtMapViewOfSection,3_2_01552D10
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552D00 NtSetInformationFile,3_2_01552D00
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552D30 NtUnmapViewOfSection,3_2_01552D30
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552DD0 NtDelayExecution,3_2_01552DD0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552DB0 NtEnumerateKey,3_2_01552DB0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552C60 NtCreateKey,3_2_01552C60
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552C00 NtQueryInformationProcess,3_2_01552C00
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552CC0 NtQueryVirtualMemory,3_2_01552CC0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552CF0 NtOpenProcess,3_2_01552CF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552CA0 NtQueryInformationToken,3_2_01552CA0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552F60 NtCreateProcessEx,3_2_01552F60
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552F30 NtCreateSection,3_2_01552F30
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552FE0 NtCreateFile,3_2_01552FE0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552F90 NtProtectVirtualMemory,3_2_01552F90
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552FB0 NtResumeThread,3_2_01552FB0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552FA0 NtQuerySection,3_2_01552FA0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552E30 NtWriteVirtualMemory,3_2_01552E30
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552EE0 NtQueueApcThread,3_2_01552EE0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552E80 NtReadVirtualMemory,3_2_01552E80
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552EA0 NtAdjustPrivilegesToken,3_2_01552EA0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01553010 NtOpenDirectoryObject,3_2_01553010
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01553090 NtSetValueKey,3_2_01553090
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015539B0 NtGetContextThread,3_2_015539B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01553D70 NtOpenThread,3_2_01553D70
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01553D10 NtOpenProcessToken,3_2_01553D10
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_029FE8280_2_029FE828
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075AA5700_2_075AA570
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A8C700_2_075A8C70
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A25910_2_075A2591
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A25A00_2_075A25A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A4A300_2_075A4A30
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A21480_2_075A2148
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A29D80_2_075A29D8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A29C80_2_075A29C8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A40710_2_075A4071
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_075A40800_2_075A4080
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004100733_2_00410073
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004028F03_2_004028F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004011503_2_00401150
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004031203_2_00403120
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004169CE3_2_004169CE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004169D33_2_004169D3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004102933_2_00410293
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0040E3133_2_0040E313
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004024003_2_00402400
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004025A03_2_004025A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0042EF033_2_0042EF03
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A81583_2_015A8158
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BA1183_2_015BA118
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015101003_2_01510100
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D81CC3_2_015D81CC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E01AA3_2_015E01AA
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D41A23_2_015D41A2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B20003_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DA3523_2_015DA352
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E3F03_2_0152E3F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E03E63_2_015E03E6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C02743_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A02C03_2_015A02C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015205353_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E05913_2_015E0591
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D24463_2_015D2446
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C44203_2_015C4420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CE4F63_2_015CE4F6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015447503_2_01544750
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015207703_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151C7C03_2_0151C7C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153C6E03_2_0153C6E0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015369623_2_01536962
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A03_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015EA9A63_2_015EA9A6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015228403_2_01522840
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152A8403_2_0152A840
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E8F03_2_0154E8F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015068B83_2_015068B8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DAB403_2_015DAB40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D6BD73_2_015D6BD7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151EA803_2_0151EA80
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BCD1F3_2_015BCD1F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152AD003_2_0152AD00
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151ADE03_2_0151ADE0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01538DBF3_2_01538DBF
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520C003_2_01520C00
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510CF23_2_01510CF2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0CB53_2_015C0CB5
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01594F403_2_01594F40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01540F303_2_01540F30
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C2F303_2_015C2F30
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01562F283_2_01562F28
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01512FC83_2_01512FC8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159EFA03_2_0159EFA0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520E593_2_01520E59
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DEE263_2_015DEE26
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DEEDB3_2_015DEEDB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532E903_2_01532E90
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DCE933_2_015DCE93
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150F1723_2_0150F172
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015EB16B3_2_015EB16B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0155516C3_2_0155516C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152B1B03_2_0152B1B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CF0CC3_2_015CF0CC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015270C03_2_015270C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D70E93_2_015D70E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DF0E03_2_015DF0E0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150D34C3_2_0150D34C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D132D3_2_015D132D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0156739A3_2_0156739A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153B2C03_2_0153B2C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C12ED3_2_015C12ED
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015252A03_2_015252A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D75713_2_015D7571
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E95C33_2_015E95C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BD5B03_2_015BD5B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015114603_2_01511460
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DF43F3_2_015DF43F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DF7B03_2_015DF7B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015656303_2_01565630
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D16CC3_2_015D16CC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015299503_2_01529950
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153B9503_2_0153B950
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B59103_2_015B5910
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158D8003_2_0158D800
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015238E03_2_015238E0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DFB763_2_015DFB76
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01595BF03_2_01595BF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0155DBF93_2_0155DBF9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153FB803_2_0153FB80
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DFA493_2_015DFA49
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D7A463_2_015D7A46
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01593A6C3_2_01593A6C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CDAC63_2_015CDAC6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01565AA03_2_01565AA0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BDAAC3_2_015BDAAC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C1AA33_2_015C1AA3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D1D5A3_2_015D1D5A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01523D403_2_01523D40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D7D733_2_015D7D73
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153FDC03_2_0153FDC0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01599C323_2_01599C32
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DFCF23_2_015DFCF2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DFF093_2_015DFF09
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_014E3FD53_2_014E3FD5
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_014E3FD23_2_014E3FD2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01521F923_2_01521F92
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DFFB13_2_015DFFB1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01529EB03_2_01529EB0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: String function: 0159F290 appears 105 times
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: String function: 01555130 appears 58 times
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: String function: 01567E54 appears 108 times
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: String function: 0158EA12 appears 86 times
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: String function: 0150B970 appears 265 times
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1757630550.0000000007500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs vTHGfiwMDeoOH5a.exe
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1749534423.0000000003D25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs vTHGfiwMDeoOH5a.exe
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1749534423.0000000003AFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs vTHGfiwMDeoOH5a.exe
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1736246551.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vTHGfiwMDeoOH5a.exe
            Source: vTHGfiwMDeoOH5a.exe, 00000003.00000002.1819818662.000000000160D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vTHGfiwMDeoOH5a.exe
            Source: vTHGfiwMDeoOH5a.exeBinary or memory string: OriginalFilenameHRjb.exe4 vs vTHGfiwMDeoOH5a.exe
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, LDl5nPYufdFH3nVylB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, LDl5nPYufdFH3nVylB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, LDl5nPYufdFH3nVylB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, LDl5nPYufdFH3nVylB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, LDl5nPYufdFH3nVylB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, LDl5nPYufdFH3nVylB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, qM4DLCUWw1tQ9OXMGh.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/6@0/0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vTHGfiwMDeoOH5a.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mr1kh3f1.hqq.ps1Jump to behavior
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: vTHGfiwMDeoOH5a.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: vTHGfiwMDeoOH5a.exeVirustotal: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"Jump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"Jump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: vTHGfiwMDeoOH5a.exe, 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vTHGfiwMDeoOH5a.exe, vTHGfiwMDeoOH5a.exe, 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: vTHGfiwMDeoOH5a.exe, frmTimer.cs.Net Code: InitializeComponent contains xor as well as GetObject
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, qM4DLCUWw1tQ9OXMGh.cs.Net Code: LiS9qqXQIm System.Reflection.Assembly.Load(byte[])
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, qM4DLCUWw1tQ9OXMGh.cs.Net Code: LiS9qqXQIm System.Reflection.Assembly.Load(byte[])
            Source: 0.2.vTHGfiwMDeoOH5a.exe.2b4f4dc.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7390000.3.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, qM4DLCUWw1tQ9OXMGh.cs.Net Code: LiS9qqXQIm System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_029F0E75 pushfd ; iretd 0_2_029F0E79
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 0_2_029F0D62 push D000005Fh; iretd 0_2_029F0F49
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00405130 push 276952D9h; iretd 3_2_00405135
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041E990 push edx; ret 3_2_0041E991
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00404A47 push edi; retf 3_2_00404A48
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041F2F5 push edi; iretd 3_2_0041F30F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041AA8F push ebx; ret 3_2_0041AB40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041F303 push edi; iretd 3_2_0041F30F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00411B28 pushad ; ret 3_2_00411B29
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_004033A0 push eax; ret 3_2_004033A2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00415C53 push 4D40979Fh; retf AA07h3_2_00415DF1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00426DE3 push edi; ret 3_2_00426DEE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041EDBB push eax; iretd 3_2_0041EDD2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00404E7A push ebp; ret 3_2_00404E7B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00404EC0 push A00DC95Eh; retf 3_2_00404EF3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00408686 pushad ; retf 3_2_00408687
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_014E225F pushad ; ret 3_2_014E27F9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_014E27FA pushad ; ret 3_2_014E27F9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015109AD push ecx; mov dword ptr [esp], ecx3_2_015109B6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_014E283D push eax; iretd 3_2_014E2858
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_014E135E push eax; iretd 3_2_014E1369
            Source: vTHGfiwMDeoOH5a.exeStatic PE information: section name: .text entropy: 7.9436966526072
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, ba3N88TDtu18m3oEJG.csHigh entropy of concatenated method names: 'sfxR1vnkcy', 'cZyRtXXKbT', 'KEsRmMt8BO', 'P2sR3PoVQd', 'xyORe1YVj3', 'cbfRS3wEYR', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, XRfSFDcZcXQwjKUsfE.csHigh entropy of concatenated method names: 'JquwOcRAT9', 'qgiwhaKSpA', 'ToString', 'aiFwAnoJ2P', 'XnPw4dtLWE', 'Eu3wP5Cl7C', 'Folwk9xCgc', 'FW7wFBaSoc', 'l3Iw6eWeX5', 'GrowUGVeti'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, uZMfQ7W5mcV2JUnSvu.csHigh entropy of concatenated method names: 'wMnPDXW1Vt', 'QaEPiZeicV', 'H6bPYsGkyp', 'I03PW68kI7', 'KteP0POv3G', 'xO6PuY1k4f', 'sYCPwINGfB', 'WdtPRjjbVo', 'uqoPIBJa3E', 'EraPQeNN6o'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, qM4DLCUWw1tQ9OXMGh.csHigh entropy of concatenated method names: 'VpNjrxn3cp', 'SXbjAc64wE', 'Hw8j4d70Gh', 'De7jPVf9dv', 'TDXjklypNd', 'ib0jF5bXqA', 'PiNj6eBXIc', 'SoAjU5NVsf', 'e93jK50RBW', 'YNZjOyqfdg'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, aKNnsRVCfJNmAfWqCf.csHigh entropy of concatenated method names: 'Px3RAs5lUU', 'O1pR4gfdqB', 'iFTRP4D0Sl', 'VuGRk3Hcj2', 'VsFRFYKs6P', 'jKJR6GGkQF', 'EhORUX9Du5', 'kc5RKwE9IP', 'EsdROmKPfZ', 'YAcRhmyqIh'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, ungGyadj3kweUfFhOD.csHigh entropy of concatenated method names: 'ToString', 'Ok7uHwZfld', 'c1NutCew9G', 'dqEumware3', 'X5Nu3Qs1MF', 'jAcuSuWoJg', 'JJIupNImUU', 'yNWulVYg32', 'KQHufx6aFI', 'TsFu83uJ4a'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, zwktOcBtRG25EyF05A.csHigh entropy of concatenated method names: 'WIj5YeD0sg', 'wJI5WDdQif', 'ERC51HOurh', 'EBW5t7PIlf', 'CNW53CNZq8', 'V1l5S9TbH4', 'Mal5l3SueH', 'GUX5f8pPxF', 'Jam5aBQenl', 'f3C5HroIyA'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, fyBJnA47PFDPUrY7MM.csHigh entropy of concatenated method names: 'Dispose', 'LQ0XToDhAW', 'WgCMtXUXqC', 'tDUAAVjfRx', 'T2KXgNnsRC', 'LJNXzmAfWq', 'ProcessDialogKey', 'vfXM2a3N88', 'ztuMX18m3o', 'WJGMMH18xK'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, yw2kqeehMuA8ix6S61.csHigh entropy of concatenated method names: 'sGs0anNbuW', 'XQ10NiFdyG', 'Qwu0e5RLOb', 'l5J0yModel', 'k0k0t9FUmL', 'BYy0mMLU2y', 'NeD03yqY2Z', 'r8K0SXvT6R', 'CNt0pfdnNR', 'K5G0lfxCUK'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, eWaGr1GlYIqflv0XjW.csHigh entropy of concatenated method names: 'h8kkLjp5pf', 'RrEkbYPX6H', 'mghPmFCHHc', 'KL8P3gKcc0', 'wEsPSKx5wg', 'ImqPpcVSYt', 'eAiPldTkFE', 'LvSPfquUuI', 'KKEP81Hkmo', 'MYtPaH5CTQ'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, z4sGsw1Z1CEdqFou2M.csHigh entropy of concatenated method names: 'RfKFrCH2E3', 'A3QF4ZacWZ', 'kRSFkDmjEW', 'x0pF6QUWWQ', 'pKIFU1w06q', 'uV6k7rR0j1', 'RqPknOOM3D', 'UTYkEcQlq2', 'x6OkViXiIg', 'uvnkTG7PfG'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, O18xKxgJqHQNNkpSib.csHigh entropy of concatenated method names: 'ULUIXMF4im', 'H4qIjytDi4', 'd1FI95N6EB', 'gkVIAGOdg0', 'dvlI42CrrA', 'IROIkvs87R', 'oVtIFIhPpC', 'fr4REl6afq', 'OviRVO1bon', 'lhgRT2K0Ak'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, aTjkFcXjE1tol7hKHl8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jbHQeZQItB', 'PAcQy2FBTy', 'R8kQdFQZwm', 'fLbQcdc9Xi', 'yCRQ7Pt3ND', 'Mb8Qnylg85', 'PRxQE2qRbH'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, V8PwcoX2UxgibwWX6lg.csHigh entropy of concatenated method names: 'gwAIJ35faH', 'LN4Ix573FH', 'MoxIqQG5HQ', 'DVLIDF1YrI', 'NQyILjmULA', 'kp9IijNpSk', 'LllIb8g1M5', 'tF9IY6vcTy', 'EGeIWcXpFK', 'qQvIG1Ktap'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, QCMdZSMUiyxjUBPGg7.csHigh entropy of concatenated method names: 'R8uqbPwkm', 'tDdDxgXg9', 'HZkiZtyIW', 'C3AbVRP3P', 'HF4WO4h0S', 'VMAGxwMd4', 'tXHLOFoQIZKV2CW9AL', 'uLxodbROYSqt1yiFCG', 'GLvR3NERB', 'ckRQxQU1B'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, WuQWPVnccAOMVU5SBt.csHigh entropy of concatenated method names: 'HDqwVEpD5i', 'hMjwgS0Y4u', 'oSJR2ZJC5B', 'ThhRXdfBSE', 'oDWwH8t8O2', 'PwLwNydWSf', 'oR3wBDCcXd', 'gDBwey0kSu', 'oQZwyBahbm', 'JbHwdhKG1N'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, LDl5nPYufdFH3nVylB.csHigh entropy of concatenated method names: 'vil4eRved5', 'pGR4yVvbPM', 'N9Y4dPSiXM', 'J6F4cWKJo9', 'ABB47LDFpc', 'Wu64nHo1vd', 'lt54E1Bwik', 'QWn4Vs7POR', 'u6X4TUOC7M', 'zA24g1DZK8'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, BQrxGT8pP9gJrmxrsh.csHigh entropy of concatenated method names: 'FGy6J6v4lb', 'R1l6xqLVSZ', 'cqZ6qYFd3t', 'Qj16DJ5HCa', 'mI06LxgvqG', 'RcB6i41CNs', 'R4a6biuBRU', 'z346YcIDkf', 'LCj6W5F84M', 'wc26G1Iqg4'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, PlItGS92uBjpgRuUCT.csHigh entropy of concatenated method names: 'WAfX6Dl5nP', 'pfdXUFH3nV', 'U5mXOcV2JU', 'USvXhurWaG', 'w0XX0jWq4s', 'FswXuZ1CEd', 'uslxavlmufF4Tin0jy', 'ycovvUAqKfuXcHMy3M', 'hBBXXJWeUG', 'rOlXjIhIj5'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, qIUTxLzvQK6sRcgxxP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NEgI5vGAL5', 'EwrI0PdhQ9', 'dP7IuC10Is', 'acTIwG3JIu', 'fhEIRothww', 'S95II6R8BX', 'Il9IQHYro4'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3db7fe0.1.raw.unpack, uiKGN9lRraX3UpGJ5h.csHigh entropy of concatenated method names: 'Fim6AZ9627', 'VT86PIr48c', 'Cla6FGsTd9', 'JNGFgVYeGx', 'D4wFzd51lm', 'jw362mQDG2', 'igp6XN3NLj', 'i506MmXxcW', 'wPl6j53U1Q', 'aWT69SJp8P'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, ba3N88TDtu18m3oEJG.csHigh entropy of concatenated method names: 'sfxR1vnkcy', 'cZyRtXXKbT', 'KEsRmMt8BO', 'P2sR3PoVQd', 'xyORe1YVj3', 'cbfRS3wEYR', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, XRfSFDcZcXQwjKUsfE.csHigh entropy of concatenated method names: 'JquwOcRAT9', 'qgiwhaKSpA', 'ToString', 'aiFwAnoJ2P', 'XnPw4dtLWE', 'Eu3wP5Cl7C', 'Folwk9xCgc', 'FW7wFBaSoc', 'l3Iw6eWeX5', 'GrowUGVeti'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, uZMfQ7W5mcV2JUnSvu.csHigh entropy of concatenated method names: 'wMnPDXW1Vt', 'QaEPiZeicV', 'H6bPYsGkyp', 'I03PW68kI7', 'KteP0POv3G', 'xO6PuY1k4f', 'sYCPwINGfB', 'WdtPRjjbVo', 'uqoPIBJa3E', 'EraPQeNN6o'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, qM4DLCUWw1tQ9OXMGh.csHigh entropy of concatenated method names: 'VpNjrxn3cp', 'SXbjAc64wE', 'Hw8j4d70Gh', 'De7jPVf9dv', 'TDXjklypNd', 'ib0jF5bXqA', 'PiNj6eBXIc', 'SoAjU5NVsf', 'e93jK50RBW', 'YNZjOyqfdg'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, aKNnsRVCfJNmAfWqCf.csHigh entropy of concatenated method names: 'Px3RAs5lUU', 'O1pR4gfdqB', 'iFTRP4D0Sl', 'VuGRk3Hcj2', 'VsFRFYKs6P', 'jKJR6GGkQF', 'EhORUX9Du5', 'kc5RKwE9IP', 'EsdROmKPfZ', 'YAcRhmyqIh'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, ungGyadj3kweUfFhOD.csHigh entropy of concatenated method names: 'ToString', 'Ok7uHwZfld', 'c1NutCew9G', 'dqEumware3', 'X5Nu3Qs1MF', 'jAcuSuWoJg', 'JJIupNImUU', 'yNWulVYg32', 'KQHufx6aFI', 'TsFu83uJ4a'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, zwktOcBtRG25EyF05A.csHigh entropy of concatenated method names: 'WIj5YeD0sg', 'wJI5WDdQif', 'ERC51HOurh', 'EBW5t7PIlf', 'CNW53CNZq8', 'V1l5S9TbH4', 'Mal5l3SueH', 'GUX5f8pPxF', 'Jam5aBQenl', 'f3C5HroIyA'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, fyBJnA47PFDPUrY7MM.csHigh entropy of concatenated method names: 'Dispose', 'LQ0XToDhAW', 'WgCMtXUXqC', 'tDUAAVjfRx', 'T2KXgNnsRC', 'LJNXzmAfWq', 'ProcessDialogKey', 'vfXM2a3N88', 'ztuMX18m3o', 'WJGMMH18xK'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, yw2kqeehMuA8ix6S61.csHigh entropy of concatenated method names: 'sGs0anNbuW', 'XQ10NiFdyG', 'Qwu0e5RLOb', 'l5J0yModel', 'k0k0t9FUmL', 'BYy0mMLU2y', 'NeD03yqY2Z', 'r8K0SXvT6R', 'CNt0pfdnNR', 'K5G0lfxCUK'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, eWaGr1GlYIqflv0XjW.csHigh entropy of concatenated method names: 'h8kkLjp5pf', 'RrEkbYPX6H', 'mghPmFCHHc', 'KL8P3gKcc0', 'wEsPSKx5wg', 'ImqPpcVSYt', 'eAiPldTkFE', 'LvSPfquUuI', 'KKEP81Hkmo', 'MYtPaH5CTQ'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, z4sGsw1Z1CEdqFou2M.csHigh entropy of concatenated method names: 'RfKFrCH2E3', 'A3QF4ZacWZ', 'kRSFkDmjEW', 'x0pF6QUWWQ', 'pKIFU1w06q', 'uV6k7rR0j1', 'RqPknOOM3D', 'UTYkEcQlq2', 'x6OkViXiIg', 'uvnkTG7PfG'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, O18xKxgJqHQNNkpSib.csHigh entropy of concatenated method names: 'ULUIXMF4im', 'H4qIjytDi4', 'd1FI95N6EB', 'gkVIAGOdg0', 'dvlI42CrrA', 'IROIkvs87R', 'oVtIFIhPpC', 'fr4REl6afq', 'OviRVO1bon', 'lhgRT2K0Ak'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, aTjkFcXjE1tol7hKHl8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jbHQeZQItB', 'PAcQy2FBTy', 'R8kQdFQZwm', 'fLbQcdc9Xi', 'yCRQ7Pt3ND', 'Mb8Qnylg85', 'PRxQE2qRbH'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, V8PwcoX2UxgibwWX6lg.csHigh entropy of concatenated method names: 'gwAIJ35faH', 'LN4Ix573FH', 'MoxIqQG5HQ', 'DVLIDF1YrI', 'NQyILjmULA', 'kp9IijNpSk', 'LllIb8g1M5', 'tF9IY6vcTy', 'EGeIWcXpFK', 'qQvIG1Ktap'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, QCMdZSMUiyxjUBPGg7.csHigh entropy of concatenated method names: 'R8uqbPwkm', 'tDdDxgXg9', 'HZkiZtyIW', 'C3AbVRP3P', 'HF4WO4h0S', 'VMAGxwMd4', 'tXHLOFoQIZKV2CW9AL', 'uLxodbROYSqt1yiFCG', 'GLvR3NERB', 'ckRQxQU1B'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, WuQWPVnccAOMVU5SBt.csHigh entropy of concatenated method names: 'HDqwVEpD5i', 'hMjwgS0Y4u', 'oSJR2ZJC5B', 'ThhRXdfBSE', 'oDWwH8t8O2', 'PwLwNydWSf', 'oR3wBDCcXd', 'gDBwey0kSu', 'oQZwyBahbm', 'JbHwdhKG1N'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, LDl5nPYufdFH3nVylB.csHigh entropy of concatenated method names: 'vil4eRved5', 'pGR4yVvbPM', 'N9Y4dPSiXM', 'J6F4cWKJo9', 'ABB47LDFpc', 'Wu64nHo1vd', 'lt54E1Bwik', 'QWn4Vs7POR', 'u6X4TUOC7M', 'zA24g1DZK8'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, BQrxGT8pP9gJrmxrsh.csHigh entropy of concatenated method names: 'FGy6J6v4lb', 'R1l6xqLVSZ', 'cqZ6qYFd3t', 'Qj16DJ5HCa', 'mI06LxgvqG', 'RcB6i41CNs', 'R4a6biuBRU', 'z346YcIDkf', 'LCj6W5F84M', 'wc26G1Iqg4'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, PlItGS92uBjpgRuUCT.csHigh entropy of concatenated method names: 'WAfX6Dl5nP', 'pfdXUFH3nV', 'U5mXOcV2JU', 'USvXhurWaG', 'w0XX0jWq4s', 'FswXuZ1CEd', 'uslxavlmufF4Tin0jy', 'ycovvUAqKfuXcHMy3M', 'hBBXXJWeUG', 'rOlXjIhIj5'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, qIUTxLzvQK6sRcgxxP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NEgI5vGAL5', 'EwrI0PdhQ9', 'dP7IuC10Is', 'acTIwG3JIu', 'fhEIRothww', 'S95II6R8BX', 'Il9IQHYro4'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.7500000.4.raw.unpack, uiKGN9lRraX3UpGJ5h.csHigh entropy of concatenated method names: 'Fim6AZ9627', 'VT86PIr48c', 'Cla6FGsTd9', 'JNGFgVYeGx', 'D4wFzd51lm', 'jw362mQDG2', 'igp6XN3NLj', 'i506MmXxcW', 'wPl6j53U1Q', 'aWT69SJp8P'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, ba3N88TDtu18m3oEJG.csHigh entropy of concatenated method names: 'sfxR1vnkcy', 'cZyRtXXKbT', 'KEsRmMt8BO', 'P2sR3PoVQd', 'xyORe1YVj3', 'cbfRS3wEYR', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, XRfSFDcZcXQwjKUsfE.csHigh entropy of concatenated method names: 'JquwOcRAT9', 'qgiwhaKSpA', 'ToString', 'aiFwAnoJ2P', 'XnPw4dtLWE', 'Eu3wP5Cl7C', 'Folwk9xCgc', 'FW7wFBaSoc', 'l3Iw6eWeX5', 'GrowUGVeti'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, uZMfQ7W5mcV2JUnSvu.csHigh entropy of concatenated method names: 'wMnPDXW1Vt', 'QaEPiZeicV', 'H6bPYsGkyp', 'I03PW68kI7', 'KteP0POv3G', 'xO6PuY1k4f', 'sYCPwINGfB', 'WdtPRjjbVo', 'uqoPIBJa3E', 'EraPQeNN6o'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, qM4DLCUWw1tQ9OXMGh.csHigh entropy of concatenated method names: 'VpNjrxn3cp', 'SXbjAc64wE', 'Hw8j4d70Gh', 'De7jPVf9dv', 'TDXjklypNd', 'ib0jF5bXqA', 'PiNj6eBXIc', 'SoAjU5NVsf', 'e93jK50RBW', 'YNZjOyqfdg'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, aKNnsRVCfJNmAfWqCf.csHigh entropy of concatenated method names: 'Px3RAs5lUU', 'O1pR4gfdqB', 'iFTRP4D0Sl', 'VuGRk3Hcj2', 'VsFRFYKs6P', 'jKJR6GGkQF', 'EhORUX9Du5', 'kc5RKwE9IP', 'EsdROmKPfZ', 'YAcRhmyqIh'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, ungGyadj3kweUfFhOD.csHigh entropy of concatenated method names: 'ToString', 'Ok7uHwZfld', 'c1NutCew9G', 'dqEumware3', 'X5Nu3Qs1MF', 'jAcuSuWoJg', 'JJIupNImUU', 'yNWulVYg32', 'KQHufx6aFI', 'TsFu83uJ4a'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, zwktOcBtRG25EyF05A.csHigh entropy of concatenated method names: 'WIj5YeD0sg', 'wJI5WDdQif', 'ERC51HOurh', 'EBW5t7PIlf', 'CNW53CNZq8', 'V1l5S9TbH4', 'Mal5l3SueH', 'GUX5f8pPxF', 'Jam5aBQenl', 'f3C5HroIyA'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, fyBJnA47PFDPUrY7MM.csHigh entropy of concatenated method names: 'Dispose', 'LQ0XToDhAW', 'WgCMtXUXqC', 'tDUAAVjfRx', 'T2KXgNnsRC', 'LJNXzmAfWq', 'ProcessDialogKey', 'vfXM2a3N88', 'ztuMX18m3o', 'WJGMMH18xK'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, yw2kqeehMuA8ix6S61.csHigh entropy of concatenated method names: 'sGs0anNbuW', 'XQ10NiFdyG', 'Qwu0e5RLOb', 'l5J0yModel', 'k0k0t9FUmL', 'BYy0mMLU2y', 'NeD03yqY2Z', 'r8K0SXvT6R', 'CNt0pfdnNR', 'K5G0lfxCUK'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, eWaGr1GlYIqflv0XjW.csHigh entropy of concatenated method names: 'h8kkLjp5pf', 'RrEkbYPX6H', 'mghPmFCHHc', 'KL8P3gKcc0', 'wEsPSKx5wg', 'ImqPpcVSYt', 'eAiPldTkFE', 'LvSPfquUuI', 'KKEP81Hkmo', 'MYtPaH5CTQ'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, z4sGsw1Z1CEdqFou2M.csHigh entropy of concatenated method names: 'RfKFrCH2E3', 'A3QF4ZacWZ', 'kRSFkDmjEW', 'x0pF6QUWWQ', 'pKIFU1w06q', 'uV6k7rR0j1', 'RqPknOOM3D', 'UTYkEcQlq2', 'x6OkViXiIg', 'uvnkTG7PfG'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, O18xKxgJqHQNNkpSib.csHigh entropy of concatenated method names: 'ULUIXMF4im', 'H4qIjytDi4', 'd1FI95N6EB', 'gkVIAGOdg0', 'dvlI42CrrA', 'IROIkvs87R', 'oVtIFIhPpC', 'fr4REl6afq', 'OviRVO1bon', 'lhgRT2K0Ak'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, aTjkFcXjE1tol7hKHl8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jbHQeZQItB', 'PAcQy2FBTy', 'R8kQdFQZwm', 'fLbQcdc9Xi', 'yCRQ7Pt3ND', 'Mb8Qnylg85', 'PRxQE2qRbH'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, V8PwcoX2UxgibwWX6lg.csHigh entropy of concatenated method names: 'gwAIJ35faH', 'LN4Ix573FH', 'MoxIqQG5HQ', 'DVLIDF1YrI', 'NQyILjmULA', 'kp9IijNpSk', 'LllIb8g1M5', 'tF9IY6vcTy', 'EGeIWcXpFK', 'qQvIG1Ktap'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, QCMdZSMUiyxjUBPGg7.csHigh entropy of concatenated method names: 'R8uqbPwkm', 'tDdDxgXg9', 'HZkiZtyIW', 'C3AbVRP3P', 'HF4WO4h0S', 'VMAGxwMd4', 'tXHLOFoQIZKV2CW9AL', 'uLxodbROYSqt1yiFCG', 'GLvR3NERB', 'ckRQxQU1B'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, WuQWPVnccAOMVU5SBt.csHigh entropy of concatenated method names: 'HDqwVEpD5i', 'hMjwgS0Y4u', 'oSJR2ZJC5B', 'ThhRXdfBSE', 'oDWwH8t8O2', 'PwLwNydWSf', 'oR3wBDCcXd', 'gDBwey0kSu', 'oQZwyBahbm', 'JbHwdhKG1N'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, LDl5nPYufdFH3nVylB.csHigh entropy of concatenated method names: 'vil4eRved5', 'pGR4yVvbPM', 'N9Y4dPSiXM', 'J6F4cWKJo9', 'ABB47LDFpc', 'Wu64nHo1vd', 'lt54E1Bwik', 'QWn4Vs7POR', 'u6X4TUOC7M', 'zA24g1DZK8'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, BQrxGT8pP9gJrmxrsh.csHigh entropy of concatenated method names: 'FGy6J6v4lb', 'R1l6xqLVSZ', 'cqZ6qYFd3t', 'Qj16DJ5HCa', 'mI06LxgvqG', 'RcB6i41CNs', 'R4a6biuBRU', 'z346YcIDkf', 'LCj6W5F84M', 'wc26G1Iqg4'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, PlItGS92uBjpgRuUCT.csHigh entropy of concatenated method names: 'WAfX6Dl5nP', 'pfdXUFH3nV', 'U5mXOcV2JU', 'USvXhurWaG', 'w0XX0jWq4s', 'FswXuZ1CEd', 'uslxavlmufF4Tin0jy', 'ycovvUAqKfuXcHMy3M', 'hBBXXJWeUG', 'rOlXjIhIj5'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, qIUTxLzvQK6sRcgxxP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NEgI5vGAL5', 'EwrI0PdhQ9', 'dP7IuC10Is', 'acTIwG3JIu', 'fhEIRothww', 'S95II6R8BX', 'Il9IQHYro4'
            Source: 0.2.vTHGfiwMDeoOH5a.exe.3c13290.2.raw.unpack, uiKGN9lRraX3UpGJ5h.csHigh entropy of concatenated method names: 'Fim6AZ9627', 'VT86PIr48c', 'Cla6FGsTd9', 'JNGFgVYeGx', 'D4wFzd51lm', 'jw362mQDG2', 'igp6XN3NLj', 'i506MmXxcW', 'wPl6j53U1Q', 'aWT69SJp8P'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: vTHGfiwMDeoOH5a.exe PID: 6640, type: MEMORYSTR
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 7A10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 8A10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: 9BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041AA8F rdtsc 3_2_0041AA8F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7610Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1762Jump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe TID: 6720Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4296Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe TID: 5780Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1736350267.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: vTHGfiwMDeoOH5a.exe, 00000000.00000002.1736350267.0000000000D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} /
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0041AA8F rdtsc 3_2_0041AA8F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_00417983 LdrLoadDll,3_2_00417983
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A8158 mov eax, dword ptr fs:[00000030h]3_2_015A8158
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516154 mov eax, dword ptr fs:[00000030h]3_2_01516154
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516154 mov eax, dword ptr fs:[00000030h]3_2_01516154
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150C156 mov eax, dword ptr fs:[00000030h]3_2_0150C156
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A4144 mov eax, dword ptr fs:[00000030h]3_2_015A4144
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A4144 mov eax, dword ptr fs:[00000030h]3_2_015A4144
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A4144 mov ecx, dword ptr fs:[00000030h]3_2_015A4144
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A4144 mov eax, dword ptr fs:[00000030h]3_2_015A4144
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A4144 mov eax, dword ptr fs:[00000030h]3_2_015A4144
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4164 mov eax, dword ptr fs:[00000030h]3_2_015E4164
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4164 mov eax, dword ptr fs:[00000030h]3_2_015E4164
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BA118 mov ecx, dword ptr fs:[00000030h]3_2_015BA118
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BA118 mov eax, dword ptr fs:[00000030h]3_2_015BA118
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BA118 mov eax, dword ptr fs:[00000030h]3_2_015BA118
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BA118 mov eax, dword ptr fs:[00000030h]3_2_015BA118
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D0115 mov eax, dword ptr fs:[00000030h]3_2_015D0115
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov eax, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov ecx, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov eax, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov eax, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov ecx, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov eax, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov eax, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov ecx, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov eax, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE10E mov ecx, dword ptr fs:[00000030h]3_2_015BE10E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01540124 mov eax, dword ptr fs:[00000030h]3_2_01540124
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E1D0 mov eax, dword ptr fs:[00000030h]3_2_0158E1D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E1D0 mov eax, dword ptr fs:[00000030h]3_2_0158E1D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0158E1D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E1D0 mov eax, dword ptr fs:[00000030h]3_2_0158E1D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E1D0 mov eax, dword ptr fs:[00000030h]3_2_0158E1D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D61C3 mov eax, dword ptr fs:[00000030h]3_2_015D61C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D61C3 mov eax, dword ptr fs:[00000030h]3_2_015D61C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015401F8 mov eax, dword ptr fs:[00000030h]3_2_015401F8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E61E5 mov eax, dword ptr fs:[00000030h]3_2_015E61E5
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159019F mov eax, dword ptr fs:[00000030h]3_2_0159019F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159019F mov eax, dword ptr fs:[00000030h]3_2_0159019F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159019F mov eax, dword ptr fs:[00000030h]3_2_0159019F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159019F mov eax, dword ptr fs:[00000030h]3_2_0159019F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150A197 mov eax, dword ptr fs:[00000030h]3_2_0150A197
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150A197 mov eax, dword ptr fs:[00000030h]3_2_0150A197
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150A197 mov eax, dword ptr fs:[00000030h]3_2_0150A197
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01550185 mov eax, dword ptr fs:[00000030h]3_2_01550185
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CC188 mov eax, dword ptr fs:[00000030h]3_2_015CC188
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CC188 mov eax, dword ptr fs:[00000030h]3_2_015CC188
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B4180 mov eax, dword ptr fs:[00000030h]3_2_015B4180
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B4180 mov eax, dword ptr fs:[00000030h]3_2_015B4180
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01512050 mov eax, dword ptr fs:[00000030h]3_2_01512050
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596050 mov eax, dword ptr fs:[00000030h]3_2_01596050
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153C073 mov eax, dword ptr fs:[00000030h]3_2_0153C073
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E016 mov eax, dword ptr fs:[00000030h]3_2_0152E016
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E016 mov eax, dword ptr fs:[00000030h]3_2_0152E016
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E016 mov eax, dword ptr fs:[00000030h]3_2_0152E016
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E016 mov eax, dword ptr fs:[00000030h]3_2_0152E016
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01594000 mov ecx, dword ptr fs:[00000030h]3_2_01594000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B2000 mov eax, dword ptr fs:[00000030h]3_2_015B2000
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A6030 mov eax, dword ptr fs:[00000030h]3_2_015A6030
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150A020 mov eax, dword ptr fs:[00000030h]3_2_0150A020
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150C020 mov eax, dword ptr fs:[00000030h]3_2_0150C020
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015920DE mov eax, dword ptr fs:[00000030h]3_2_015920DE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150C0F0 mov eax, dword ptr fs:[00000030h]3_2_0150C0F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015520F0 mov ecx, dword ptr fs:[00000030h]3_2_015520F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0150A0E3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015180E9 mov eax, dword ptr fs:[00000030h]3_2_015180E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015960E0 mov eax, dword ptr fs:[00000030h]3_2_015960E0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151208A mov eax, dword ptr fs:[00000030h]3_2_0151208A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D60B8 mov eax, dword ptr fs:[00000030h]3_2_015D60B8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D60B8 mov ecx, dword ptr fs:[00000030h]3_2_015D60B8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015080A0 mov eax, dword ptr fs:[00000030h]3_2_015080A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A80A8 mov eax, dword ptr fs:[00000030h]3_2_015A80A8
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159035C mov eax, dword ptr fs:[00000030h]3_2_0159035C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159035C mov eax, dword ptr fs:[00000030h]3_2_0159035C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159035C mov eax, dword ptr fs:[00000030h]3_2_0159035C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159035C mov ecx, dword ptr fs:[00000030h]3_2_0159035C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159035C mov eax, dword ptr fs:[00000030h]3_2_0159035C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159035C mov eax, dword ptr fs:[00000030h]3_2_0159035C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B8350 mov ecx, dword ptr fs:[00000030h]3_2_015B8350
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DA352 mov eax, dword ptr fs:[00000030h]3_2_015DA352
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01592349 mov eax, dword ptr fs:[00000030h]3_2_01592349
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E634F mov eax, dword ptr fs:[00000030h]3_2_015E634F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B437C mov eax, dword ptr fs:[00000030h]3_2_015B437C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150C310 mov ecx, dword ptr fs:[00000030h]3_2_0150C310
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01530310 mov ecx, dword ptr fs:[00000030h]3_2_01530310
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A30B mov eax, dword ptr fs:[00000030h]3_2_0154A30B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A30B mov eax, dword ptr fs:[00000030h]3_2_0154A30B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A30B mov eax, dword ptr fs:[00000030h]3_2_0154A30B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E8324 mov eax, dword ptr fs:[00000030h]3_2_015E8324
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E8324 mov ecx, dword ptr fs:[00000030h]3_2_015E8324
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E8324 mov eax, dword ptr fs:[00000030h]3_2_015E8324
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E8324 mov eax, dword ptr fs:[00000030h]3_2_015E8324
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE3DB mov eax, dword ptr fs:[00000030h]3_2_015BE3DB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE3DB mov eax, dword ptr fs:[00000030h]3_2_015BE3DB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE3DB mov ecx, dword ptr fs:[00000030h]3_2_015BE3DB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BE3DB mov eax, dword ptr fs:[00000030h]3_2_015BE3DB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B43D4 mov eax, dword ptr fs:[00000030h]3_2_015B43D4
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B43D4 mov eax, dword ptr fs:[00000030h]3_2_015B43D4
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CC3CD mov eax, dword ptr fs:[00000030h]3_2_015CC3CD
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A3C0 mov eax, dword ptr fs:[00000030h]3_2_0151A3C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A3C0 mov eax, dword ptr fs:[00000030h]3_2_0151A3C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A3C0 mov eax, dword ptr fs:[00000030h]3_2_0151A3C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A3C0 mov eax, dword ptr fs:[00000030h]3_2_0151A3C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A3C0 mov eax, dword ptr fs:[00000030h]3_2_0151A3C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A3C0 mov eax, dword ptr fs:[00000030h]3_2_0151A3C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015183C0 mov eax, dword ptr fs:[00000030h]3_2_015183C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015183C0 mov eax, dword ptr fs:[00000030h]3_2_015183C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015183C0 mov eax, dword ptr fs:[00000030h]3_2_015183C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015183C0 mov eax, dword ptr fs:[00000030h]3_2_015183C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015963C0 mov eax, dword ptr fs:[00000030h]3_2_015963C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E3F0 mov eax, dword ptr fs:[00000030h]3_2_0152E3F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E3F0 mov eax, dword ptr fs:[00000030h]3_2_0152E3F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E3F0 mov eax, dword ptr fs:[00000030h]3_2_0152E3F0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015463FF mov eax, dword ptr fs:[00000030h]3_2_015463FF
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015203E9 mov eax, dword ptr fs:[00000030h]3_2_015203E9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01508397 mov eax, dword ptr fs:[00000030h]3_2_01508397
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01508397 mov eax, dword ptr fs:[00000030h]3_2_01508397
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01508397 mov eax, dword ptr fs:[00000030h]3_2_01508397
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150E388 mov eax, dword ptr fs:[00000030h]3_2_0150E388
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150E388 mov eax, dword ptr fs:[00000030h]3_2_0150E388
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150E388 mov eax, dword ptr fs:[00000030h]3_2_0150E388
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153438F mov eax, dword ptr fs:[00000030h]3_2_0153438F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153438F mov eax, dword ptr fs:[00000030h]3_2_0153438F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150A250 mov eax, dword ptr fs:[00000030h]3_2_0150A250
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E625D mov eax, dword ptr fs:[00000030h]3_2_015E625D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516259 mov eax, dword ptr fs:[00000030h]3_2_01516259
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CA250 mov eax, dword ptr fs:[00000030h]3_2_015CA250
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CA250 mov eax, dword ptr fs:[00000030h]3_2_015CA250
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01598243 mov eax, dword ptr fs:[00000030h]3_2_01598243
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01598243 mov ecx, dword ptr fs:[00000030h]3_2_01598243
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C0274 mov eax, dword ptr fs:[00000030h]3_2_015C0274
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514260 mov eax, dword ptr fs:[00000030h]3_2_01514260
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514260 mov eax, dword ptr fs:[00000030h]3_2_01514260
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514260 mov eax, dword ptr fs:[00000030h]3_2_01514260
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150826B mov eax, dword ptr fs:[00000030h]3_2_0150826B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150823B mov eax, dword ptr fs:[00000030h]3_2_0150823B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E62D6 mov eax, dword ptr fs:[00000030h]3_2_015E62D6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A2C3 mov eax, dword ptr fs:[00000030h]3_2_0151A2C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A2C3 mov eax, dword ptr fs:[00000030h]3_2_0151A2C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A2C3 mov eax, dword ptr fs:[00000030h]3_2_0151A2C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A2C3 mov eax, dword ptr fs:[00000030h]3_2_0151A2C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A2C3 mov eax, dword ptr fs:[00000030h]3_2_0151A2C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015202E1 mov eax, dword ptr fs:[00000030h]3_2_015202E1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015202E1 mov eax, dword ptr fs:[00000030h]3_2_015202E1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015202E1 mov eax, dword ptr fs:[00000030h]3_2_015202E1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E284 mov eax, dword ptr fs:[00000030h]3_2_0154E284
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E284 mov eax, dword ptr fs:[00000030h]3_2_0154E284
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01590283 mov eax, dword ptr fs:[00000030h]3_2_01590283
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01590283 mov eax, dword ptr fs:[00000030h]3_2_01590283
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01590283 mov eax, dword ptr fs:[00000030h]3_2_01590283
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015202A0 mov eax, dword ptr fs:[00000030h]3_2_015202A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015202A0 mov eax, dword ptr fs:[00000030h]3_2_015202A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A62A0 mov eax, dword ptr fs:[00000030h]3_2_015A62A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A62A0 mov ecx, dword ptr fs:[00000030h]3_2_015A62A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A62A0 mov eax, dword ptr fs:[00000030h]3_2_015A62A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A62A0 mov eax, dword ptr fs:[00000030h]3_2_015A62A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A62A0 mov eax, dword ptr fs:[00000030h]3_2_015A62A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A62A0 mov eax, dword ptr fs:[00000030h]3_2_015A62A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01518550 mov eax, dword ptr fs:[00000030h]3_2_01518550
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01518550 mov eax, dword ptr fs:[00000030h]3_2_01518550
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154656A mov eax, dword ptr fs:[00000030h]3_2_0154656A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154656A mov eax, dword ptr fs:[00000030h]3_2_0154656A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154656A mov eax, dword ptr fs:[00000030h]3_2_0154656A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A6500 mov eax, dword ptr fs:[00000030h]3_2_015A6500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4500 mov eax, dword ptr fs:[00000030h]3_2_015E4500
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520535 mov eax, dword ptr fs:[00000030h]3_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520535 mov eax, dword ptr fs:[00000030h]3_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520535 mov eax, dword ptr fs:[00000030h]3_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520535 mov eax, dword ptr fs:[00000030h]3_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520535 mov eax, dword ptr fs:[00000030h]3_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520535 mov eax, dword ptr fs:[00000030h]3_2_01520535
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E53E mov eax, dword ptr fs:[00000030h]3_2_0153E53E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E53E mov eax, dword ptr fs:[00000030h]3_2_0153E53E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E53E mov eax, dword ptr fs:[00000030h]3_2_0153E53E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E53E mov eax, dword ptr fs:[00000030h]3_2_0153E53E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E53E mov eax, dword ptr fs:[00000030h]3_2_0153E53E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015165D0 mov eax, dword ptr fs:[00000030h]3_2_015165D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A5D0 mov eax, dword ptr fs:[00000030h]3_2_0154A5D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A5D0 mov eax, dword ptr fs:[00000030h]3_2_0154A5D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E5CF mov eax, dword ptr fs:[00000030h]3_2_0154E5CF
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E5CF mov eax, dword ptr fs:[00000030h]3_2_0154E5CF
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015125E0 mov eax, dword ptr fs:[00000030h]3_2_015125E0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E5E7 mov eax, dword ptr fs:[00000030h]3_2_0153E5E7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C5ED mov eax, dword ptr fs:[00000030h]3_2_0154C5ED
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C5ED mov eax, dword ptr fs:[00000030h]3_2_0154C5ED
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E59C mov eax, dword ptr fs:[00000030h]3_2_0154E59C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01512582 mov eax, dword ptr fs:[00000030h]3_2_01512582
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01512582 mov ecx, dword ptr fs:[00000030h]3_2_01512582
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01544588 mov eax, dword ptr fs:[00000030h]3_2_01544588
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015345B1 mov eax, dword ptr fs:[00000030h]3_2_015345B1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015345B1 mov eax, dword ptr fs:[00000030h]3_2_015345B1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015905A7 mov eax, dword ptr fs:[00000030h]3_2_015905A7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015905A7 mov eax, dword ptr fs:[00000030h]3_2_015905A7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015905A7 mov eax, dword ptr fs:[00000030h]3_2_015905A7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153245A mov eax, dword ptr fs:[00000030h]3_2_0153245A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CA456 mov eax, dword ptr fs:[00000030h]3_2_015CA456
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150645D mov eax, dword ptr fs:[00000030h]3_2_0150645D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154E443 mov eax, dword ptr fs:[00000030h]3_2_0154E443
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153A470 mov eax, dword ptr fs:[00000030h]3_2_0153A470
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153A470 mov eax, dword ptr fs:[00000030h]3_2_0153A470
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153A470 mov eax, dword ptr fs:[00000030h]3_2_0153A470
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159C460 mov ecx, dword ptr fs:[00000030h]3_2_0159C460
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01548402 mov eax, dword ptr fs:[00000030h]3_2_01548402
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01548402 mov eax, dword ptr fs:[00000030h]3_2_01548402
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01548402 mov eax, dword ptr fs:[00000030h]3_2_01548402
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A430 mov eax, dword ptr fs:[00000030h]3_2_0154A430
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150E420 mov eax, dword ptr fs:[00000030h]3_2_0150E420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150E420 mov eax, dword ptr fs:[00000030h]3_2_0150E420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150E420 mov eax, dword ptr fs:[00000030h]3_2_0150E420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150C427 mov eax, dword ptr fs:[00000030h]3_2_0150C427
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01596420 mov eax, dword ptr fs:[00000030h]3_2_01596420
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015104E5 mov ecx, dword ptr fs:[00000030h]3_2_015104E5
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015CA49A mov eax, dword ptr fs:[00000030h]3_2_015CA49A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015444B0 mov ecx, dword ptr fs:[00000030h]3_2_015444B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159A4B0 mov eax, dword ptr fs:[00000030h]3_2_0159A4B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015164AB mov eax, dword ptr fs:[00000030h]3_2_015164AB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510750 mov eax, dword ptr fs:[00000030h]3_2_01510750
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159E75D mov eax, dword ptr fs:[00000030h]3_2_0159E75D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552750 mov eax, dword ptr fs:[00000030h]3_2_01552750
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552750 mov eax, dword ptr fs:[00000030h]3_2_01552750
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01594755 mov eax, dword ptr fs:[00000030h]3_2_01594755
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154674D mov esi, dword ptr fs:[00000030h]3_2_0154674D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154674D mov eax, dword ptr fs:[00000030h]3_2_0154674D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154674D mov eax, dword ptr fs:[00000030h]3_2_0154674D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01518770 mov eax, dword ptr fs:[00000030h]3_2_01518770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520770 mov eax, dword ptr fs:[00000030h]3_2_01520770
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510710 mov eax, dword ptr fs:[00000030h]3_2_01510710
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01540710 mov eax, dword ptr fs:[00000030h]3_2_01540710
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C700 mov eax, dword ptr fs:[00000030h]3_2_0154C700
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154273C mov eax, dword ptr fs:[00000030h]3_2_0154273C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154273C mov ecx, dword ptr fs:[00000030h]3_2_0154273C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154273C mov eax, dword ptr fs:[00000030h]3_2_0154273C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158C730 mov eax, dword ptr fs:[00000030h]3_2_0158C730
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C720 mov eax, dword ptr fs:[00000030h]3_2_0154C720
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C720 mov eax, dword ptr fs:[00000030h]3_2_0154C720
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151C7C0 mov eax, dword ptr fs:[00000030h]3_2_0151C7C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015907C3 mov eax, dword ptr fs:[00000030h]3_2_015907C3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015147FB mov eax, dword ptr fs:[00000030h]3_2_015147FB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015147FB mov eax, dword ptr fs:[00000030h]3_2_015147FB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159E7E1 mov eax, dword ptr fs:[00000030h]3_2_0159E7E1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015327ED mov eax, dword ptr fs:[00000030h]3_2_015327ED
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015327ED mov eax, dword ptr fs:[00000030h]3_2_015327ED
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015327ED mov eax, dword ptr fs:[00000030h]3_2_015327ED
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B678E mov eax, dword ptr fs:[00000030h]3_2_015B678E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C47A0 mov eax, dword ptr fs:[00000030h]3_2_015C47A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015107AF mov eax, dword ptr fs:[00000030h]3_2_015107AF
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152C640 mov eax, dword ptr fs:[00000030h]3_2_0152C640
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01542674 mov eax, dword ptr fs:[00000030h]3_2_01542674
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D866E mov eax, dword ptr fs:[00000030h]3_2_015D866E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D866E mov eax, dword ptr fs:[00000030h]3_2_015D866E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A660 mov eax, dword ptr fs:[00000030h]3_2_0154A660
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A660 mov eax, dword ptr fs:[00000030h]3_2_0154A660
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01552619 mov eax, dword ptr fs:[00000030h]3_2_01552619
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E609 mov eax, dword ptr fs:[00000030h]3_2_0158E609
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152260B mov eax, dword ptr fs:[00000030h]3_2_0152260B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01546620 mov eax, dword ptr fs:[00000030h]3_2_01546620
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01548620 mov eax, dword ptr fs:[00000030h]3_2_01548620
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0152E627 mov eax, dword ptr fs:[00000030h]3_2_0152E627
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151262C mov eax, dword ptr fs:[00000030h]3_2_0151262C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0154A6C7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A6C7 mov eax, dword ptr fs:[00000030h]3_2_0154A6C7
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015906F1 mov eax, dword ptr fs:[00000030h]3_2_015906F1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015906F1 mov eax, dword ptr fs:[00000030h]3_2_015906F1
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E6F2 mov eax, dword ptr fs:[00000030h]3_2_0158E6F2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E6F2 mov eax, dword ptr fs:[00000030h]3_2_0158E6F2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E6F2 mov eax, dword ptr fs:[00000030h]3_2_0158E6F2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E6F2 mov eax, dword ptr fs:[00000030h]3_2_0158E6F2
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514690 mov eax, dword ptr fs:[00000030h]3_2_01514690
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514690 mov eax, dword ptr fs:[00000030h]3_2_01514690
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015466B0 mov eax, dword ptr fs:[00000030h]3_2_015466B0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C6A6 mov eax, dword ptr fs:[00000030h]3_2_0154C6A6
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4940 mov eax, dword ptr fs:[00000030h]3_2_015E4940
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01590946 mov eax, dword ptr fs:[00000030h]3_2_01590946
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B4978 mov eax, dword ptr fs:[00000030h]3_2_015B4978
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B4978 mov eax, dword ptr fs:[00000030h]3_2_015B4978
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159C97C mov eax, dword ptr fs:[00000030h]3_2_0159C97C
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01536962 mov eax, dword ptr fs:[00000030h]3_2_01536962
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01536962 mov eax, dword ptr fs:[00000030h]3_2_01536962
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01536962 mov eax, dword ptr fs:[00000030h]3_2_01536962
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0155096E mov eax, dword ptr fs:[00000030h]3_2_0155096E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0155096E mov edx, dword ptr fs:[00000030h]3_2_0155096E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0155096E mov eax, dword ptr fs:[00000030h]3_2_0155096E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01508918 mov eax, dword ptr fs:[00000030h]3_2_01508918
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01508918 mov eax, dword ptr fs:[00000030h]3_2_01508918
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159C912 mov eax, dword ptr fs:[00000030h]3_2_0159C912
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E908 mov eax, dword ptr fs:[00000030h]3_2_0158E908
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158E908 mov eax, dword ptr fs:[00000030h]3_2_0158E908
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A892B mov eax, dword ptr fs:[00000030h]3_2_015A892B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159892A mov eax, dword ptr fs:[00000030h]3_2_0159892A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A9D0 mov eax, dword ptr fs:[00000030h]3_2_0151A9D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A9D0 mov eax, dword ptr fs:[00000030h]3_2_0151A9D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A9D0 mov eax, dword ptr fs:[00000030h]3_2_0151A9D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A9D0 mov eax, dword ptr fs:[00000030h]3_2_0151A9D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A9D0 mov eax, dword ptr fs:[00000030h]3_2_0151A9D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151A9D0 mov eax, dword ptr fs:[00000030h]3_2_0151A9D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015449D0 mov eax, dword ptr fs:[00000030h]3_2_015449D0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DA9D3 mov eax, dword ptr fs:[00000030h]3_2_015DA9D3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A69C0 mov eax, dword ptr fs:[00000030h]3_2_015A69C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015429F9 mov eax, dword ptr fs:[00000030h]3_2_015429F9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015429F9 mov eax, dword ptr fs:[00000030h]3_2_015429F9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159E9E0 mov eax, dword ptr fs:[00000030h]3_2_0159E9E0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015989B3 mov esi, dword ptr fs:[00000030h]3_2_015989B3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015989B3 mov eax, dword ptr fs:[00000030h]3_2_015989B3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015989B3 mov eax, dword ptr fs:[00000030h]3_2_015989B3
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015229A0 mov eax, dword ptr fs:[00000030h]3_2_015229A0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015109AD mov eax, dword ptr fs:[00000030h]3_2_015109AD
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015109AD mov eax, dword ptr fs:[00000030h]3_2_015109AD
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01540854 mov eax, dword ptr fs:[00000030h]3_2_01540854
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514859 mov eax, dword ptr fs:[00000030h]3_2_01514859
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01514859 mov eax, dword ptr fs:[00000030h]3_2_01514859
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01522840 mov ecx, dword ptr fs:[00000030h]3_2_01522840
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A6870 mov eax, dword ptr fs:[00000030h]3_2_015A6870
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A6870 mov eax, dword ptr fs:[00000030h]3_2_015A6870
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159E872 mov eax, dword ptr fs:[00000030h]3_2_0159E872
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159E872 mov eax, dword ptr fs:[00000030h]3_2_0159E872
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159C810 mov eax, dword ptr fs:[00000030h]3_2_0159C810
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B483A mov eax, dword ptr fs:[00000030h]3_2_015B483A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B483A mov eax, dword ptr fs:[00000030h]3_2_015B483A
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154A830 mov eax, dword ptr fs:[00000030h]3_2_0154A830
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532835 mov eax, dword ptr fs:[00000030h]3_2_01532835
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532835 mov eax, dword ptr fs:[00000030h]3_2_01532835
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532835 mov eax, dword ptr fs:[00000030h]3_2_01532835
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532835 mov ecx, dword ptr fs:[00000030h]3_2_01532835
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532835 mov eax, dword ptr fs:[00000030h]3_2_01532835
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01532835 mov eax, dword ptr fs:[00000030h]3_2_01532835
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153E8C0 mov eax, dword ptr fs:[00000030h]3_2_0153E8C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E08C0 mov eax, dword ptr fs:[00000030h]3_2_015E08C0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C8F9 mov eax, dword ptr fs:[00000030h]3_2_0154C8F9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154C8F9 mov eax, dword ptr fs:[00000030h]3_2_0154C8F9
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DA8E4 mov eax, dword ptr fs:[00000030h]3_2_015DA8E4
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159C89D mov eax, dword ptr fs:[00000030h]3_2_0159C89D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510887 mov eax, dword ptr fs:[00000030h]3_2_01510887
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01508B50 mov eax, dword ptr fs:[00000030h]3_2_01508B50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E2B57 mov eax, dword ptr fs:[00000030h]3_2_015E2B57
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E2B57 mov eax, dword ptr fs:[00000030h]3_2_015E2B57
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E2B57 mov eax, dword ptr fs:[00000030h]3_2_015E2B57
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E2B57 mov eax, dword ptr fs:[00000030h]3_2_015E2B57
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BEB50 mov eax, dword ptr fs:[00000030h]3_2_015BEB50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C4B4B mov eax, dword ptr fs:[00000030h]3_2_015C4B4B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C4B4B mov eax, dword ptr fs:[00000030h]3_2_015C4B4B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015B8B42 mov eax, dword ptr fs:[00000030h]3_2_015B8B42
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A6B40 mov eax, dword ptr fs:[00000030h]3_2_015A6B40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015A6B40 mov eax, dword ptr fs:[00000030h]3_2_015A6B40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015DAB40 mov eax, dword ptr fs:[00000030h]3_2_015DAB40
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0150CB7E mov eax, dword ptr fs:[00000030h]3_2_0150CB7E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158EB1D mov eax, dword ptr fs:[00000030h]3_2_0158EB1D
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015E4B00 mov eax, dword ptr fs:[00000030h]3_2_015E4B00
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153EB20 mov eax, dword ptr fs:[00000030h]3_2_0153EB20
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153EB20 mov eax, dword ptr fs:[00000030h]3_2_0153EB20
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D8B28 mov eax, dword ptr fs:[00000030h]3_2_015D8B28
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015D8B28 mov eax, dword ptr fs:[00000030h]3_2_015D8B28
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BEBD0 mov eax, dword ptr fs:[00000030h]3_2_015BEBD0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01530BCB mov eax, dword ptr fs:[00000030h]3_2_01530BCB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01530BCB mov eax, dword ptr fs:[00000030h]3_2_01530BCB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01530BCB mov eax, dword ptr fs:[00000030h]3_2_01530BCB
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510BCD mov eax, dword ptr fs:[00000030h]3_2_01510BCD
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510BCD mov eax, dword ptr fs:[00000030h]3_2_01510BCD
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510BCD mov eax, dword ptr fs:[00000030h]3_2_01510BCD
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01518BF0 mov eax, dword ptr fs:[00000030h]3_2_01518BF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01518BF0 mov eax, dword ptr fs:[00000030h]3_2_01518BF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01518BF0 mov eax, dword ptr fs:[00000030h]3_2_01518BF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159CBF0 mov eax, dword ptr fs:[00000030h]3_2_0159CBF0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153EBFC mov eax, dword ptr fs:[00000030h]3_2_0153EBFC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520BBE mov eax, dword ptr fs:[00000030h]3_2_01520BBE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520BBE mov eax, dword ptr fs:[00000030h]3_2_01520BBE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C4BB0 mov eax, dword ptr fs:[00000030h]3_2_015C4BB0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015C4BB0 mov eax, dword ptr fs:[00000030h]3_2_015C4BB0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01516A50 mov eax, dword ptr fs:[00000030h]3_2_01516A50
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520A5B mov eax, dword ptr fs:[00000030h]3_2_01520A5B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01520A5B mov eax, dword ptr fs:[00000030h]3_2_01520A5B
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158CA72 mov eax, dword ptr fs:[00000030h]3_2_0158CA72
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0158CA72 mov eax, dword ptr fs:[00000030h]3_2_0158CA72
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154CA6F mov eax, dword ptr fs:[00000030h]3_2_0154CA6F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154CA6F mov eax, dword ptr fs:[00000030h]3_2_0154CA6F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154CA6F mov eax, dword ptr fs:[00000030h]3_2_0154CA6F
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_015BEA60 mov eax, dword ptr fs:[00000030h]3_2_015BEA60
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0159CA11 mov eax, dword ptr fs:[00000030h]3_2_0159CA11
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01534A35 mov eax, dword ptr fs:[00000030h]3_2_01534A35
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01534A35 mov eax, dword ptr fs:[00000030h]3_2_01534A35
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154CA38 mov eax, dword ptr fs:[00000030h]3_2_0154CA38
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154CA24 mov eax, dword ptr fs:[00000030h]3_2_0154CA24
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0153EA2E mov eax, dword ptr fs:[00000030h]3_2_0153EA2E
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01510AD0 mov eax, dword ptr fs:[00000030h]3_2_01510AD0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01544AD0 mov eax, dword ptr fs:[00000030h]3_2_01544AD0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01544AD0 mov eax, dword ptr fs:[00000030h]3_2_01544AD0
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01566ACC mov eax, dword ptr fs:[00000030h]3_2_01566ACC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01566ACC mov eax, dword ptr fs:[00000030h]3_2_01566ACC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01566ACC mov eax, dword ptr fs:[00000030h]3_2_01566ACC
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154AAEE mov eax, dword ptr fs:[00000030h]3_2_0154AAEE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0154AAEE mov eax, dword ptr fs:[00000030h]3_2_0154AAEE
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_01548A90 mov edx, dword ptr fs:[00000030h]3_2_01548A90
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151EA80 mov eax, dword ptr fs:[00000030h]3_2_0151EA80
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeCode function: 3_2_0151EA80 mov eax, dword ptr fs:[00000030h]3_2_0151EA80
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeMemory written: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"Jump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeProcess created: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"Jump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vTHGfiwMDeoOH5a.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527610 Sample: vTHGfiwMDeoOH5a.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 5 other signatures 2->28 7 vTHGfiwMDeoOH5a.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\vTHGfiwMDeoOH5a.exe.log, CSV 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 vTHGfiwMDeoOH5a.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 WmiPrvSE.exe 11->16         started        18 conhost.exe 11->18         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            vTHGfiwMDeoOH5a.exe36%VirustotalBrowse
            vTHGfiwMDeoOH5a.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.com0%URL Reputationsafe
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalseunknown
            http://www.fontbureau.comvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersGvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/?vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/bThevTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.tiro.comvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.goodfont.co.krvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.carterandcone.comlvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sajatypeworks.comvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.typography.netDvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/cabarga.htmlNvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/cThevTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htmvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cnvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/frere-user.htmlvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.jiyu-kobo.co.jp/vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/DPleasevTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers8vTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fonts.comvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sandoll.co.krvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.urwpp.deDPleasevTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.zhongyicts.com.cnvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevTHGfiwMDeoOH5a.exe, 00000000.00000002.1737733029.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sakkal.comvTHGfiwMDeoOH5a.exe, 00000000.00000002.1755243147.0000000006D72000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1527610
            Start date and time:2024-10-07 06:27:05 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 12s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:11
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:vTHGfiwMDeoOH5a.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/6@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 96%
            • Number of executed functions: 38
            • Number of non-executed functions: 273
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            00:28:01API Interceptor5x Sleep call for process: vTHGfiwMDeoOH5a.exe modified
            00:28:02API Interceptor17x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vTHGfiwMDeoOH5a.exe.log

            Download File
            Process:C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):2056
            Entropy (8bit):5.342567089024067
            Encrypted:false
            SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvKHj:iqlYqh3ou0aymsqwtI6eqzqqxwRiD
            MD5:E518150A4E0AC0BB13C49E3437CAD6D1
            SHA1:EEB063C4020BB91C4F546B0D5AF9C4C446212A53
            SHA-256:80F14F1E93CC189B336F3B86EB76B1F874F2B05A222EC8C21FA0ED7D0D207706
            SHA-512:FCC2CF289AB4DEFFBE34BC5F390DB69942C6563F859B97945995E8899DFE1306081B5B55AE54779AC4B6A57BA4B265638D497B847D41E44681DF4B3C497C0A78
            Malicious:true
            Reputation:low
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.379736180876081
            Encrypted:false
            SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:tLHyIFKL3IZ2KRH9Ouggs
            MD5:C3F772151C5BC427ED6271C19B318E09
            SHA1:C7DB81507519F0F0EF88CD7A1A85274BF9A9DCFD
            SHA-256:9C857729E6040DE370FFC9C380F5AD7F5E5B7A43F2589A10EA8BEFB593BCA9BE
            SHA-512:D645F588F7F7AEA52E151D7F13616F6656FBFDF6542426FD96E9FAFCD2A4101FB52DDECA3957E29E1AD3A274EE8B6A55B6880579105BDA16D8681852E96308E6
            Malicious:false
            Reputation:low
            Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuza3cnf.3k0.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mr1kh3f1.hqq.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scvnydfv.gi1.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0qllomw.uzq.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.9362541428820625
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:vTHGfiwMDeoOH5a.exe
            File size:804'352 bytes
            MD5:3aa5992e9a518e4d1a7042a16b10e31d
            SHA1:5bce77192abbf2a71a2b19d6b00f08685f569b64
            SHA256:cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
            SHA512:518b38137a320e3853e28496485c04c933b68ef34f4ef9b4da363711555ea70c11325d4e05d761d5a4aaa199e684e0da084e0226f319cfe3a29dc00d120fed95
            SSDEEP:24576:A0ixK9bqAGf89ojqUk6fT6xuBgptr6svn6v:9ixKp5NX6BBStr6svnu
            TLSH:67051268631C9659C76C07FA4492C21053BE2638A94DC76C7E93B48F44DBB658332FEE
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=.g..............0......(.......;... ...@....@.. ....................................@................................

            File Icon

            Icon Hash:878eb7a3a6879fa4

            Static PE Info

            General

            Entrypoint:0x4c3bce
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x67033D09 [Mon Oct 7 01:44:41 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc3b7c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x242c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xc1bd40xc1c00781b1d3deefffa396f6d7420207f77d4False0.9285194052419354data7.9436966526072IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xc40000x242c0x26003ffa0ce9ce909eb41f6de1f5fbaf4a6bFalse0.8655427631578947data7.348064530114722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc80000xc0x200ca581c9747351dc8fdb9092650da0b2dFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc40c80x201dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9674005595426347
            RT_GROUP_ICON0xc60f80x14data1.05
            RT_VERSION0xc611c0x30cdata0.4371794871794872

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:00:27:58
            Start date:07/10/2024
            Path:C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Imagebase:0x680000
            File size:804'352 bytes
            MD5 hash:3AA5992E9A518E4D1A7042A16B10E31D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:00:28:02
            Start date:07/10/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Imagebase:0xcf0000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:00:28:02
            Start date:07/10/2024
            Path:C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\vTHGfiwMDeoOH5a.exe"
            Imagebase:0x870000
            File size:804'352 bytes
            MD5 hash:3AA5992E9A518E4D1A7042A16B10E31D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1819365139.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:4
            Start time:00:28:02
            Start date:07/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:00:28:04
            Start date:07/10/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff693ab0000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:7.5%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:1.6%
              Total number of Nodes:187
              Total number of Limit Nodes:11
              execution_graph 22640 75a9ad8 22641 75a9c63 22640->22641 22642 75a9afe 22640->22642 22642->22641 22645 75a9d58 PostMessageW 22642->22645 22647 75a9d52 22642->22647 22646 75a9dc4 22645->22646 22646->22642 22648 75a9d58 PostMessageW 22647->22648 22649 75a9dc4 22648->22649 22649->22642 22650 75a5749 22651 75a57f4 22650->22651 22656 75a8908 22651->22656 22673 75a89b6 22651->22673 22691 75a88f8 22651->22691 22652 75a5804 22657 75a8922 22656->22657 22708 75a8e5b 22657->22708 22713 75a8ee4 22657->22713 22717 75a9081 22657->22717 22722 75a92c1 22657->22722 22726 75a8f77 22657->22726 22731 75a9396 22657->22731 22736 75a8eb6 22657->22736 22741 75a8e91 22657->22741 22746 75a8c70 22657->22746 22751 75a9133 22657->22751 22756 75a9712 22657->22756 22761 75a93dd 22657->22761 22766 75a95dc 22657->22766 22771 75a8e39 22657->22771 22658 75a892a 22658->22652 22674 75a8944 22673->22674 22676 75a89b9 22673->22676 22675 75a892a 22674->22675 22677 75a8e5b 2 API calls 22674->22677 22678 75a8e39 2 API calls 22674->22678 22679 75a95dc 2 API calls 22674->22679 22680 75a93dd 2 API calls 22674->22680 22681 75a9712 2 API calls 22674->22681 22682 75a9133 2 API calls 22674->22682 22683 75a8c70 2 API calls 22674->22683 22684 75a8e91 2 API calls 22674->22684 22685 75a8eb6 2 API calls 22674->22685 22686 75a9396 2 API calls 22674->22686 22687 75a8f77 2 API calls 22674->22687 22688 75a92c1 2 API calls 22674->22688 22689 75a9081 2 API calls 22674->22689 22690 75a8ee4 2 API calls 22674->22690 22675->22652 22677->22675 22678->22675 22679->22675 22680->22675 22681->22675 22682->22675 22683->22675 22684->22675 22685->22675 22686->22675 22687->22675 22688->22675 22689->22675 22690->22675 22692 75a88d7 22691->22692 22692->22691 22694 75a8e5b 2 API calls 22692->22694 22695 75a8e39 2 API calls 22692->22695 22696 75a95dc 2 API calls 22692->22696 22697 75a93dd 2 API calls 22692->22697 22698 75a9712 2 API calls 22692->22698 22699 75a9133 2 API calls 22692->22699 22700 75a8c70 2 API calls 22692->22700 22701 75a8e91 2 API calls 22692->22701 22702 75a8eb6 2 API calls 22692->22702 22703 75a9396 2 API calls 22692->22703 22704 75a8f77 2 API calls 22692->22704 22705 75a92c1 2 API calls 22692->22705 22706 75a9081 2 API calls 22692->22706 22707 75a8ee4 2 API calls 22692->22707 22693 75a892a 22693->22652 22694->22693 22695->22693 22696->22693 22697->22693 22698->22693 22699->22693 22700->22693 22701->22693 22702->22693 22703->22693 22704->22693 22705->22693 22706->22693 22707->22693 22709 75a8e75 22708->22709 22776 75a48a8 22709->22776 22780 75a48a0 22709->22780 22710 75a916a 22784 75a4958 22713->22784 22788 75a4950 22713->22788 22714 75a8efe 22714->22658 22718 75a96db 22717->22718 22792 75a4e68 22718->22792 22796 75a4e60 22718->22796 22719 75a96fc 22719->22658 22800 75a4f28 22722->22800 22804 75a4f20 22722->22804 22723 75a92ef 22727 75a8f7d 22726->22727 22808 75a5018 22727->22808 22812 75a5010 22727->22812 22728 75a8fa0 22728->22658 22732 75a8e42 22731->22732 22734 75a4f28 WriteProcessMemory 22732->22734 22735 75a4f20 WriteProcessMemory 22732->22735 22733 75a983d 22734->22733 22735->22733 22737 75a8ebc 22736->22737 22739 75a48a8 ResumeThread 22737->22739 22740 75a48a0 ResumeThread 22737->22740 22738 75a916a 22739->22738 22740->22738 22742 75a8e9e 22741->22742 22744 75a4f28 WriteProcessMemory 22742->22744 22745 75a4f20 WriteProcessMemory 22742->22745 22743 75a9246 22744->22743 22745->22743 22747 75a8ca3 22746->22747 22748 75a8d1b 22747->22748 22816 75a51b0 22747->22816 22820 75a51a5 22747->22820 22748->22658 22752 75a913e 22751->22752 22754 75a48a8 ResumeThread 22752->22754 22755 75a48a0 ResumeThread 22752->22755 22753 75a916a 22754->22753 22755->22753 22757 75a8e42 22756->22757 22759 75a4f28 WriteProcessMemory 22757->22759 22760 75a4f20 WriteProcessMemory 22757->22760 22758 75a983d 22759->22758 22760->22758 22764 75a4958 Wow64SetThreadContext 22761->22764 22765 75a4950 Wow64SetThreadContext 22761->22765 22762 75a93dc 22762->22761 22763 75a95f2 22762->22763 22763->22658 22764->22762 22765->22762 22767 75a93dc 22766->22767 22767->22766 22768 75a95f2 22767->22768 22769 75a4958 Wow64SetThreadContext 22767->22769 22770 75a4950 Wow64SetThreadContext 22767->22770 22768->22658 22769->22767 22770->22767 22772 75a8e42 22771->22772 22774 75a4f28 WriteProcessMemory 22772->22774 22775 75a4f20 WriteProcessMemory 22772->22775 22773 75a983d 22774->22773 22775->22773 22777 75a48e8 ResumeThread 22776->22777 22779 75a4919 22777->22779 22779->22710 22781 75a48a8 ResumeThread 22780->22781 22783 75a4919 22781->22783 22783->22710 22785 75a499d Wow64SetThreadContext 22784->22785 22787 75a49dc 22785->22787 22787->22714 22789 75a4958 Wow64SetThreadContext 22788->22789 22791 75a49dc 22789->22791 22791->22714 22793 75a4ea8 VirtualAllocEx 22792->22793 22795 75a4ee5 22793->22795 22795->22719 22797 75a4e68 VirtualAllocEx 22796->22797 22799 75a4ee5 22797->22799 22799->22719 22801 75a4f70 WriteProcessMemory 22800->22801 22803 75a4fc7 22801->22803 22803->22723 22805 75a4f28 WriteProcessMemory 22804->22805 22807 75a4fc7 22805->22807 22807->22723 22809 75a5063 ReadProcessMemory 22808->22809 22811 75a50a7 22809->22811 22811->22728 22813 75a5018 ReadProcessMemory 22812->22813 22815 75a50a7 22813->22815 22815->22728 22817 75a5239 CreateProcessA 22816->22817 22819 75a53fb 22817->22819 22821 75a51b0 CreateProcessA 22820->22821 22823 75a53fb 22821->22823 22824 29ff5b0 22825 29ff5db 22824->22825 22830 29ffb20 22825->22830 22826 29ff65e 22827 29fa7a4 GetModuleHandleW 22826->22827 22828 29ff68a 22826->22828 22827->22828 22831 29ffb4d 22830->22831 22832 29ffbce 22831->22832 22834 29ffc90 22831->22834 22835 29ffca5 22834->22835 22836 29fa7a4 GetModuleHandleW 22835->22836 22837 29ffcc9 22835->22837 22836->22837 22843 29ffe85 22837->22843 22844 29fa7a4 22837->22844 22839 29ffe0b 22840 29fa7a4 GetModuleHandleW 22839->22840 22839->22843 22841 29ffe59 22840->22841 22842 29fa7a4 GetModuleHandleW 22841->22842 22841->22843 22842->22843 22843->22832 22845 29fb698 GetModuleHandleW 22844->22845 22847 29fb70d 22845->22847 22847->22839 22848 29fb3b0 22852 29fb498 22848->22852 22862 29fb4a8 22848->22862 22849 29fb3bf 22853 29fb4b9 22852->22853 22856 29fb4dc 22852->22856 22854 29fa7a4 GetModuleHandleW 22853->22854 22855 29fb4c4 22854->22855 22855->22856 22872 29fb740 22855->22872 22875 29fb731 22855->22875 22856->22849 22857 29fb4d4 22857->22856 22858 29fb6e0 GetModuleHandleW 22857->22858 22859 29fb70d 22858->22859 22859->22849 22863 29fb4b9 22862->22863 22866 29fb4dc 22862->22866 22864 29fa7a4 GetModuleHandleW 22863->22864 22865 29fb4c4 22864->22865 22865->22866 22870 29fb731 GetModuleHandleW 22865->22870 22871 29fb740 GetModuleHandleW 22865->22871 22866->22849 22867 29fb4d4 22867->22866 22868 29fb6e0 GetModuleHandleW 22867->22868 22869 29fb70d 22868->22869 22869->22849 22870->22867 22871->22867 22873 29fa7a4 GetModuleHandleW 22872->22873 22874 29fb754 22872->22874 22873->22874 22874->22857 22876 29fa7a4 GetModuleHandleW 22875->22876 22877 29fb754 22876->22877 22877->22857

              Executed Functions

              Function 075AA570 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa7d951b34f7a578b6a28bec0c962c8f9c0e335a3dc439004cf56183730aec22
              • Instruction ID: 1f85cd4b9b7d5137d80ede963f552c488d670c9f0473098abb1782f455f932a7
              • Opcode Fuzzy Hash: aa7d951b34f7a578b6a28bec0c962c8f9c0e335a3dc439004cf56183730aec22
              • Instruction Fuzzy Hash: 1432A8B1B01205AFDB59DB69C550BAEB7F6BFC8300F24846AE1469B3A0DB35ED01CB51
              Function 075A8C70 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7abaa9dcd1dd5e660de28b0b61e4b7159c356c0637ee58a154e1b237d2b4439
              • Instruction ID: 35d00f7af9182b5a2af3bed14c5f1084fc3653aa367eeee546d628158f9e5b96
              • Opcode Fuzzy Hash: e7abaa9dcd1dd5e660de28b0b61e4b7159c356c0637ee58a154e1b237d2b4439
              • Instruction Fuzzy Hash: B1513AB1D44629DBEB68CF66C8407EDBBB6BF89300F14C5BAD409A6250EB705A85CF40
              Function 075A51A5 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 38 75a51a5-75a5245 41 75a527e-75a529e 38->41 42 75a5247-75a5251 38->42 49 75a52a0-75a52aa 41->49 50 75a52d7-75a5306 41->50 42->41 43 75a5253-75a5255 42->43 44 75a5278-75a527b 43->44 45 75a5257-75a5261 43->45 44->41 47 75a5263 45->47 48 75a5265-75a5274 45->48 47->48 48->48 51 75a5276 48->51 49->50 52 75a52ac-75a52ae 49->52 58 75a5308-75a5312 50->58 59 75a533f-75a53f9 CreateProcessA 50->59 51->44 53 75a52b0-75a52ba 52->53 54 75a52d1-75a52d4 52->54 56 75a52be-75a52cd 53->56 57 75a52bc 53->57 54->50 56->56 60 75a52cf 56->60 57->56 58->59 61 75a5314-75a5316 58->61 70 75a53fb-75a5401 59->70 71 75a5402-75a5488 59->71 60->54 63 75a5318-75a5322 61->63 64 75a5339-75a533c 61->64 65 75a5326-75a5335 63->65 66 75a5324 63->66 64->59 65->65 68 75a5337 65->68 66->65 68->64 70->71 81 75a548a-75a548e 71->81 82 75a5498-75a549c 71->82 81->82 83 75a5490 81->83 84 75a549e-75a54a2 82->84 85 75a54ac-75a54b0 82->85 83->82 84->85 86 75a54a4 84->86 87 75a54b2-75a54b6 85->87 88 75a54c0-75a54c4 85->88 86->85 87->88 91 75a54b8 87->91 89 75a54d6-75a54dd 88->89 90 75a54c6-75a54cc 88->90 92 75a54df-75a54ee 89->92 93 75a54f4 89->93 90->89 91->88 92->93 95 75a54f5 93->95 95->95
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075A53E6
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 01cd2fd54207bc42c8638ac51240809772607653dcf64f148dec1d3fcc7982db
              • Instruction ID: 50fd7aabedfc7705d047097095f9f4c6fc967975e40d08006701651f9166a5f6
              • Opcode Fuzzy Hash: 01cd2fd54207bc42c8638ac51240809772607653dcf64f148dec1d3fcc7982db
              • Instruction Fuzzy Hash: B1A180B1D00219DFDF10CFA8C840BDDBBB6BF48314F1485AAE809A7254EB749995CF91
              Function 075A51B0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 96 75a51b0-75a5245 98 75a527e-75a529e 96->98 99 75a5247-75a5251 96->99 106 75a52a0-75a52aa 98->106 107 75a52d7-75a5306 98->107 99->98 100 75a5253-75a5255 99->100 101 75a5278-75a527b 100->101 102 75a5257-75a5261 100->102 101->98 104 75a5263 102->104 105 75a5265-75a5274 102->105 104->105 105->105 108 75a5276 105->108 106->107 109 75a52ac-75a52ae 106->109 115 75a5308-75a5312 107->115 116 75a533f-75a53f9 CreateProcessA 107->116 108->101 110 75a52b0-75a52ba 109->110 111 75a52d1-75a52d4 109->111 113 75a52be-75a52cd 110->113 114 75a52bc 110->114 111->107 113->113 117 75a52cf 113->117 114->113 115->116 118 75a5314-75a5316 115->118 127 75a53fb-75a5401 116->127 128 75a5402-75a5488 116->128 117->111 120 75a5318-75a5322 118->120 121 75a5339-75a533c 118->121 122 75a5326-75a5335 120->122 123 75a5324 120->123 121->116 122->122 125 75a5337 122->125 123->122 125->121 127->128 138 75a548a-75a548e 128->138 139 75a5498-75a549c 128->139 138->139 140 75a5490 138->140 141 75a549e-75a54a2 139->141 142 75a54ac-75a54b0 139->142 140->139 141->142 143 75a54a4 141->143 144 75a54b2-75a54b6 142->144 145 75a54c0-75a54c4 142->145 143->142 144->145 148 75a54b8 144->148 146 75a54d6-75a54dd 145->146 147 75a54c6-75a54cc 145->147 149 75a54df-75a54ee 146->149 150 75a54f4 146->150 147->146 148->145 149->150 152 75a54f5 150->152 152->152
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075A53E6
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 495e83c519bdff0685e1e0c5d9594911fb2fc6b3496fe7af31505732359b3ce7
              • Instruction ID: 2b36dad9f6445ece3f4f8d565e33d92ec41258e2f91d5c066c2d743341e4b494
              • Opcode Fuzzy Hash: 495e83c519bdff0685e1e0c5d9594911fb2fc6b3496fe7af31505732359b3ce7
              • Instruction Fuzzy Hash: 009180B1D00219DFDF10CFA8C840BDDBBB6BF48314F1481AAE809A7254EB749995CF91
              Function 029FB4A8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 153 29fb4a8-29fb4b7 154 29fb4b9-29fb4c6 call 29fa7a4 153->154 155 29fb4e3-29fb4e7 153->155 162 29fb4dc 154->162 163 29fb4c8 154->163 156 29fb4fb-29fb53c 155->156 157 29fb4e9-29fb4f3 155->157 164 29fb53e-29fb546 156->164 165 29fb549-29fb557 156->165 157->156 162->155 210 29fb4ce call 29fb731 163->210 211 29fb4ce call 29fb740 163->211 164->165 166 29fb57b-29fb57d 165->166 167 29fb559-29fb55e 165->167 171 29fb580-29fb587 166->171 169 29fb569 167->169 170 29fb560-29fb567 call 29fa7b0 167->170 168 29fb4d4-29fb4d6 168->162 172 29fb618-29fb6d8 168->172 175 29fb56b-29fb579 169->175 170->175 173 29fb589-29fb591 171->173 174 29fb594-29fb59b 171->174 203 29fb6da-29fb6dd 172->203 204 29fb6e0-29fb70b GetModuleHandleW 172->204 173->174 177 29fb59d-29fb5a5 174->177 178 29fb5a8-29fb5b1 call 29fa7c0 174->178 175->171 177->178 184 29fb5be-29fb5c3 178->184 185 29fb5b3-29fb5bb 178->185 187 29fb5c5-29fb5cc 184->187 188 29fb5e1-29fb5e5 184->188 185->184 187->188 189 29fb5ce-29fb5de call 29fa7d0 call 29fa7e0 187->189 208 29fb5e8 call 29fba10 188->208 209 29fb5e8 call 29fba20 188->209 189->188 190 29fb5eb-29fb5ee 193 29fb611-29fb617 190->193 194 29fb5f0-29fb60e 190->194 194->193 203->204 205 29fb70d-29fb713 204->205 206 29fb714-29fb728 204->206 205->206 208->190 209->190 210->168 211->168
              Memory Dump Source
              • Source File: 00000000.00000002.1737564156.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_29f0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 52d00ce5b0e82d5f3127cd700baa42c4d3ff02bb57f66bba9afb73bdca63b4b1
              • Instruction ID: 01e6a972b52608ed0176a6e4c7616daf9cc8f9543aef802c99751e7361df3618
              • Opcode Fuzzy Hash: 52d00ce5b0e82d5f3127cd700baa42c4d3ff02bb57f66bba9afb73bdca63b4b1
              • Instruction Fuzzy Hash: 4F713570A00B058FD7A4DF29D56575ABBF5BF88308F108A29D18ADBB50DB74E845CF90
              Function 075A4F20 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 212 75a4f20-75a4f76 215 75a4f78-75a4f84 212->215 216 75a4f86-75a4fc5 WriteProcessMemory 212->216 215->216 218 75a4fce-75a4ffe 216->218 219 75a4fc7-75a4fcd 216->219 219->218
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075A4FB8
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: afe3e4c373a951d0070fbb7b59b45a54336b49a015ac3d00ef01129600e7f3ef
              • Instruction ID: 0a6404dde9b9a307fb8f14571f86b87d37a0e42b87627894c7d698d9a1fe6d1f
              • Opcode Fuzzy Hash: afe3e4c373a951d0070fbb7b59b45a54336b49a015ac3d00ef01129600e7f3ef
              • Instruction Fuzzy Hash: 6C217AB29003599FCB10DFA9C985BDEBBF5FF48320F10842AE959A7350C774A545CBA0
              Function 075A4950 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 223 75a4950-75a49a3 226 75a49b3-75a49d8 Wow64SetThreadContext 223->226 227 75a49a5-75a49b1 223->227 229 75a49dc-75a49e3 226->229 227->226 230 75a49ec-75a4a1c 229->230 231 75a49e5-75a49eb 229->231 231->230
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075A49D6
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 3d790d92814e22e23e03d84021a83821776dc48354e4ad53387f88551def8d9f
              • Instruction ID: e2da20c0914e1da763cc6d06e151e8e778aa9823e3246a709dff7ae3bd2e1ff0
              • Opcode Fuzzy Hash: 3d790d92814e22e23e03d84021a83821776dc48354e4ad53387f88551def8d9f
              • Instruction Fuzzy Hash: 5E215CB19003099FDB10DFA9C485BEEBBF4EF48320F10842AD459A7341DB789944CFA4
              Function 075A4F28 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 235 75a4f28-75a4f76 237 75a4f78-75a4f84 235->237 238 75a4f86-75a4fc5 WriteProcessMemory 235->238 237->238 240 75a4fce-75a4ffe 238->240 241 75a4fc7-75a4fcd 238->241 241->240
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075A4FB8
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 3e81f78458a10ddf1a5a379f30b2221c3088c50893ece2c81cb8c80ee4768c43
              • Instruction ID: ec97e21307e0615528f89fff4f0cee8e48bce802ed26376bd2f453489334a6b0
              • Opcode Fuzzy Hash: 3e81f78458a10ddf1a5a379f30b2221c3088c50893ece2c81cb8c80ee4768c43
              • Instruction Fuzzy Hash: 1C2157B190035A9FCB10DFA9C984BDEBBF5FF48310F10842AE959A7350C7789944CBA0
              Function 075A5010 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 245 75a5010-75a50a5 ReadProcessMemory 249 75a50ae-75a50de 245->249 250 75a50a7-75a50ad 245->250 250->249
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075A5098
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 03690035aed21c50544329a76b5cf9224c37153c672bd10854f9f136f73923a8
              • Instruction ID: 38073d1681011854e71eb2c6ce4baa8380b655bf3b9383530d8161f9b1f6bf2f
              • Opcode Fuzzy Hash: 03690035aed21c50544329a76b5cf9224c37153c672bd10854f9f136f73923a8
              • Instruction Fuzzy Hash: 242139B2800359DFCB10DFA9D880BDEBBF5FF48320F10882AE559A7250D775A551CBA0
              Function 075A4958 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 254 75a4958-75a49a3 256 75a49b3-75a49d8 Wow64SetThreadContext 254->256 257 75a49a5-75a49b1 254->257 259 75a49dc-75a49e3 256->259 257->256 260 75a49ec-75a4a1c 259->260 261 75a49e5-75a49eb 259->261 261->260
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075A49D6
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: a9b43eb1d6db8758e8f4ed11120dda49f1e5217b4fcadf86c5ba5fc33d30e54b
              • Instruction ID: 49635347a7b8f11f1083dd178dbd9b633c2b9d26e5ae997c2315e26e865b7b76
              • Opcode Fuzzy Hash: a9b43eb1d6db8758e8f4ed11120dda49f1e5217b4fcadf86c5ba5fc33d30e54b
              • Instruction Fuzzy Hash: AB2138B19003099FDB10DFAAC585BEEBBF4EF48320F50842AD459A7341C778A944CFA4
              Function 075A5018 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 265 75a5018-75a50a5 ReadProcessMemory 268 75a50ae-75a50de 265->268 269 75a50a7-75a50ad 265->269 269->268
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075A5098
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 458612e8461b900f3563d49febdcee6459d6f6f9d5a1a5f1690929ab5adf0c73
              • Instruction ID: 180715f3c9dbb8ffbc89e33f7e9a9a8d11a86e00084caa7a106917e64ef16d2d
              • Opcode Fuzzy Hash: 458612e8461b900f3563d49febdcee6459d6f6f9d5a1a5f1690929ab5adf0c73
              • Instruction Fuzzy Hash: 3F2139B1800359DFCB10DFAAC984ADEFBF5FF48320F50842AE559A7250D7749554CBA4
              Function 075A4E60 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 273 75a4e60-75a4ee3 VirtualAllocEx 277 75a4eec-75a4f11 273->277 278 75a4ee5-75a4eeb 273->278 278->277
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075A4ED6
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: fe06e644d0580359becc130b2e03660c35b478ebe169c1422c2da3ae708d1cad
              • Instruction ID: 87f90501b5a9eb2b38b3bd13f6372308700df732da5495a25c6324bf73feb594
              • Opcode Fuzzy Hash: fe06e644d0580359becc130b2e03660c35b478ebe169c1422c2da3ae708d1cad
              • Instruction Fuzzy Hash: C7118CB69002489FCB10DFA9D8457DEBFF5FB88320F20842AE515A7250C775A544CFA0
              Function 075A48A0 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 282 75a48a0-75a4917 ResumeThread 286 75a4919-75a491f 282->286 287 75a4920-75a4945 282->287 286->287
              APIs
              • ResumeThread.KERNELBASE(0000005F), ref: 075A490A
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 9cc7b0d6587420132abda534e34106f8681cb54966d9c01dfc75f329b64baa3a
              • Instruction ID: 1af317af86bcbca73bb243b7bb2179470668992ec7e786409fc02375a7b5cbfe
              • Opcode Fuzzy Hash: 9cc7b0d6587420132abda534e34106f8681cb54966d9c01dfc75f329b64baa3a
              • Instruction Fuzzy Hash: 38116DB19003498FCB20DFAAD445BEEFBF8EB88324F20842AD459A7350CB756544CFA4
              Function 075A4E68 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 291 75a4e68-75a4ee3 VirtualAllocEx 294 75a4eec-75a4f11 291->294 295 75a4ee5-75a4eeb 291->295 295->294
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075A4ED6
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 3781ded3973ecb366e87457a52015e7a2aa98c2df34b8e99802cb9e67d29ac15
              • Instruction ID: 1c71014b7e506643ff62edbab2934e5f6a378f8d1e9cdad6ded3c1fe41078ba9
              • Opcode Fuzzy Hash: 3781ded3973ecb366e87457a52015e7a2aa98c2df34b8e99802cb9e67d29ac15
              • Instruction Fuzzy Hash: B21126B29002499FCB10DFAAC845AEEBFF9EB48320F208829E555A7250C775A554CFA1
              Function 029FA7A4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 299 29fa7a4-29fb6d8 301 29fb6da-29fb6dd 299->301 302 29fb6e0-29fb70b GetModuleHandleW 299->302 301->302 303 29fb70d-29fb713 302->303 304 29fb714-29fb728 302->304 303->304
              APIs
              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,029FB4C4), ref: 029FB6FE
              Memory Dump Source
              • Source File: 00000000.00000002.1737564156.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_29f0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 2fc5b4e7220e043f1587715d68521d300c9bb1851a9dbcb3c04a8c5da509085e
              • Instruction ID: 729444cad2064d629b5255a0836adce5e84a432c5a1d4ac0fc0c87a709e69d96
              • Opcode Fuzzy Hash: 2fc5b4e7220e043f1587715d68521d300c9bb1851a9dbcb3c04a8c5da509085e
              • Instruction Fuzzy Hash: F81102B5D007498FCB50DF9AC444ADEFBF8EB48328F10846AD519B7610C375A545CFA5
              Function 075A48A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 306 75a48a8-75a4917 ResumeThread 309 75a4919-75a491f 306->309 310 75a4920-75a4945 306->310 309->310
              APIs
              • ResumeThread.KERNELBASE(0000005F), ref: 075A490A
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 4af1c4d20b525237da07d8c45827a9decf8263e10ba179a63456c9297434bc2f
              • Instruction ID: 7cb79a2d43bff0d42f2f6dd9c2bd90d4d9c9496da2378c2bac2c18169474d96f
              • Opcode Fuzzy Hash: 4af1c4d20b525237da07d8c45827a9decf8263e10ba179a63456c9297434bc2f
              • Instruction Fuzzy Hash: AD113AB19003498FCB20DFAAC445BEEFBF8EB88324F208429D559A7250C775A544CFA4
              Function 075A9D52 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 075A9DB5
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 2b424fac36f205841edbabe328fee92ba284987ae69c51bcf18ed97c9389f653
              • Instruction ID: 12f85d893927a4ce470c784abff7f1b3bdd03ec1cf5d6e7ee6740c591d633e1e
              • Opcode Fuzzy Hash: 2b424fac36f205841edbabe328fee92ba284987ae69c51bcf18ed97c9389f653
              • Instruction Fuzzy Hash: F611F5B58003599FDB10DF9AC588BDEBBF8FB48324F10846AD559A7710C375A984CFA1
              Function 075A9D58 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 075A9DB5
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: b7f38543e3176c32180a55d21555d7c38a464834efd67bcaada0e48401e2c219
              • Instruction ID: 6fe3aca36a864b367c23f7c581693526481fdf4cbc555f28ae4802d1116d4f69
              • Opcode Fuzzy Hash: b7f38543e3176c32180a55d21555d7c38a464834efd67bcaada0e48401e2c219
              • Instruction Fuzzy Hash: C61103B58003599FCB10DF9AC988BDEBBF8FB48320F10845AD558A7310C375A584CFA1
              Function 0100D06C Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736938572.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ce5600fb3919d5de26e62f4550cd010f7dbfd3710edd133dd46bcb4ab76e187
              • Instruction ID: 1c7c4ce7b6339bde266c346ce3a9b433c7105e79234584f7328e8fc1447fde41
              • Opcode Fuzzy Hash: 0ce5600fb3919d5de26e62f4550cd010f7dbfd3710edd133dd46bcb4ab76e187
              • Instruction Fuzzy Hash: C3213871100200EFEB06DFD4D9C0B2ABFA5FB88314F20C1A9E9490B296C73AC416CB71
              Function 0101D2F0 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736981401.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_101d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9aeca75726881bbfd87027253716fcc2b934cdf25d6bcf87c79eea9cf7add713
              • Instruction ID: 40a56f2f7e010db8054932ba07242a64d5016efb8148d77327a744d5a6d39e6f
              • Opcode Fuzzy Hash: 9aeca75726881bbfd87027253716fcc2b934cdf25d6bcf87c79eea9cf7add713
              • Instruction Fuzzy Hash: AB2107B1604204DFDB05DF58D5C8B2ABBA5FB84314F20C5ADD8894B25AC37ED446CB61
              Function 0101D3D8 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736981401.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_101d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8ed6250895dda3514d4c034f3745b4cd47237db9da601d954dc9cb39c9faa42
              • Instruction ID: d8cad731bee19ae48ba66f139b1066f522ffbfa200ab081605ab9039e4bb0b55
              • Opcode Fuzzy Hash: a8ed6250895dda3514d4c034f3745b4cd47237db9da601d954dc9cb39c9faa42
              • Instruction Fuzzy Hash: BC214971580200DFDB05DF98D5C8B6ABBA5FB84314F20C6ADE9894B35AC73EE446CB61
              Function 0101D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736981401.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_101d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce4485a415116cff3567d8f035297273c8f11ffabee5a0695252781eb0c1dc94
              • Instruction ID: 4b870643c2386a82b6f1b4ffb2ebe2078e377a412898d089409edce9e7377ff3
              • Opcode Fuzzy Hash: ce4485a415116cff3567d8f035297273c8f11ffabee5a0695252781eb0c1dc94
              • Instruction Fuzzy Hash: 2F212575504200DFCB16DF58D988B16BFA5FB84314F20C5ADE9894B25AC33AD447CB61
              Function 0100D067 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736938572.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
              • Instruction ID: c1651eb9a1918a8305cbf65cc9a3ea191aabde4836a43d804fe824e30a5f7861
              • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
              • Instruction Fuzzy Hash: 2321A276504284DFDB06CF94D9C4B56BFB2FB88314F24C6A9DD490B256C33AD426CBA1
              Function 0101D2EB Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736981401.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_101d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: 607d4a0d6bc084933fbc945c7177065fded8ee136129a54a2c5bd5efdc3ca9cd
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: 5B11DD75504280CFDB06CF58D5C8B15BFB1FB84318F24C6AED8894B25AC33AD40ACB61
              Function 0101D3D3 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736981401.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_101d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: b1978a192cfe7e6918ac1e0ac9b0415b248d00b0081dbcd2a53c07d5cf16d0e2
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: 8711DD75544280CFDB02CF54D5C8B55BFA1FB84314F24C6AAD9894B25AC33AE44ACBA1
              Function 0101D017 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736981401.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_101d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: e96775076a5ba4b1027b67bfa55b6291fda18b934bb889845dc19e27deddfd15
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: 8C119075504280DFDB16CF58D5C8B16FFA2FB44314F24C6AAE8494B65AC33BD44ACB62
              Function 0100D941 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736938572.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 764ab4378694b923282ef1e083897153250e63f3955ff0bdc5a095bef0766caa
              • Instruction ID: 64504d89d61be71560980e89ccedf5762d4a328b08e6855d319ca2b21ecb35eb
              • Opcode Fuzzy Hash: 764ab4378694b923282ef1e083897153250e63f3955ff0bdc5a095bef0766caa
              • Instruction Fuzzy Hash: 150184710083449AF7125AD9C98476BFFD9EF41324F18C56AED895A2C6C6799840C7B2
              Function 0100D940 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1736938572.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100d000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f3c7ec6e578d718c93daa7b91d8e9280b6eea370391832d711482db82809173
              • Instruction ID: 282991cf6bf6d675fa87c41b54e7e70612c7f3a7ac80161b7695b49b27f26421
              • Opcode Fuzzy Hash: 9f3c7ec6e578d718c93daa7b91d8e9280b6eea370391832d711482db82809173
              • Instruction Fuzzy Hash: 46F0C2720083449AF7119A5ACDC4B62FFE8EF80334F18C49AED484E286C2799840CBB1

              Non-executed Functions

              Function 075A29D8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: QQ
              • API String ID: 0-1296741153
              • Opcode ID: 8becd8ab6c6ca81eeec1b829f19cffccbda836db380ca1c33375251ae7c62fa9
              • Instruction ID: 0438dd22d26686eabd7193ae6120323c2e8f98b5889a3343f9e58811b4cc27cc
              • Opcode Fuzzy Hash: 8becd8ab6c6ca81eeec1b829f19cffccbda836db380ca1c33375251ae7c62fa9
              • Instruction Fuzzy Hash: CBE1F9B4E002199FCB14DFA9C5819AEFBF2BF89304F249169D414AB35AD730AD41CFA1
              Function 075A29C8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: QQ
              • API String ID: 0-1296741153
              • Opcode ID: dba62e3ec21f1ae760523dec89b0f8b3b26befa0627a240ffe181319b89ebf91
              • Instruction ID: 6eef26ef875f89aa12d26cef5767c611b156c81b35b3f444d66d03a32abd7553
              • Opcode Fuzzy Hash: dba62e3ec21f1ae760523dec89b0f8b3b26befa0627a240ffe181319b89ebf91
              • Instruction Fuzzy Hash: 1A513AB4E002198BDB14DFA9D5815EEFBF2FF89304F24C16AD408AB256DB309941CFA1
              Function 075A2148 Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ac9080ae2e75d2a4dc9f7144299ce93a9836b370c6909ae250e3a37ffd9a7d5
              • Instruction ID: a41b57cd7a575f35359b9f5d5151cb036f244fd45560018829693826a1942962
              • Opcode Fuzzy Hash: 6ac9080ae2e75d2a4dc9f7144299ce93a9836b370c6909ae250e3a37ffd9a7d5
              • Instruction Fuzzy Hash: AFE11CB4E042199FCB14DFA9C5809AEFBF2FF89304F24916AD514AB356D731A941CFA0
              Function 029FE828 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1737564156.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_29f0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33bf87ace0db40d8382b719e50d13900cb41949d61a8991f3111c86a02a52380
              • Instruction ID: cb58b0f9688ce7eb22d5f71cc6e12d852c67486494e84b9cc3630ab205030992
              • Opcode Fuzzy Hash: 33bf87ace0db40d8382b719e50d13900cb41949d61a8991f3111c86a02a52380
              • Instruction Fuzzy Hash: 1C1296F0429746CAF722CFA5E94A2897FB1BB45324F504208E2751F2E5DBB821CACF54
              Function 075A25A0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99ce8496e7b0363b8138acaefcda68ac98db3b325c821e6eb799a0fb3db04fa3
              • Instruction ID: c40a0e6707e708b1d3385797bc46cdcea1e1e139f32db02539bf7ad5c21178ce
              • Opcode Fuzzy Hash: 99ce8496e7b0363b8138acaefcda68ac98db3b325c821e6eb799a0fb3db04fa3
              • Instruction Fuzzy Hash: 19E10AB4E002199FCB14DFA9C5819AEFBF2BF89304F249169E414AB359D730A941CFA0
              Function 075A4A30 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da27c04d9f7d62fd6fd9c4ed160bdd960f92a58effc0b0cf71768e725ead261b
              • Instruction ID: 4e791927e0ea071668c6a215b50e3ded88ddeb42e0388af393bb09edcb5d2494
              • Opcode Fuzzy Hash: da27c04d9f7d62fd6fd9c4ed160bdd960f92a58effc0b0cf71768e725ead261b
              • Instruction Fuzzy Hash: 13E12AB4E002598FCB14DFA9C580AAEFBF2BF89304F248169D514AB356D730AD41CFA1
              Function 075A4080 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30da1a1a35fc0b36aebd3653da66604872024294441342df5c66802d92c93cf3
              • Instruction ID: 69ad48b42db20f4340ab5b70fe1a1bd249ef858986fdb4fc30f58f723be136b1
              • Opcode Fuzzy Hash: 30da1a1a35fc0b36aebd3653da66604872024294441342df5c66802d92c93cf3
              • Instruction Fuzzy Hash: B7E11AB4E002599FCB14DFA9C5809AEFBF2BF89304F248169D514AB35AD771AD41CFA0
              Function 075A4071 Relevance: .1, Instructions: 140COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50053e48abe3cd579e1160732205766f979baac1d2823aa359e3aa8e2bc29800
              • Instruction ID: bfb095703ff8c9c966ad3611712c57f316b0cce874e64882213c129d2bee06b2
              • Opcode Fuzzy Hash: 50053e48abe3cd579e1160732205766f979baac1d2823aa359e3aa8e2bc29800
              • Instruction Fuzzy Hash: AA513AB0E002598FDB14DFA9D5805AEFBF2BF89304F24816AD418A7256D7319941CFA1
              Function 075A2591 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1759424564.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_75a0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae423338388df1e42253b16f66caff9349e1fb561af38efae2aab11aff39bc91
              • Instruction ID: bae25e576b5294092db3b063d092898b2b9f767118eb5ba15d22a0a2987dcce7
              • Opcode Fuzzy Hash: ae423338388df1e42253b16f66caff9349e1fb561af38efae2aab11aff39bc91
              • Instruction Fuzzy Hash: 6D510BB4E002198FDB14DFA9D5815AEFBF2FF89304F24816AD518A7356DB309942CFA1

              Execution Graph

              Execution Coverage:0.7%
              Dynamic/Decrypted Code Coverage:6.7%
              Signature Coverage:10.6%
              Total number of Nodes:104
              Total number of Limit Nodes:9
              execution_graph 93653 424fc3 93658 424fdc 93653->93658 93654 425068 93655 425027 93661 42e9a3 93655->93661 93658->93654 93658->93655 93659 425063 93658->93659 93660 42e9a3 RtlFreeHeap 93659->93660 93660->93654 93664 42cc33 93661->93664 93663 425033 93665 42cc50 93664->93665 93666 42cc61 RtlFreeHeap 93665->93666 93666->93663 93667 42fb63 93668 42fb73 93667->93668 93669 42fb79 93667->93669 93672 42ea83 93669->93672 93671 42fb9f 93675 42cbe3 93672->93675 93674 42ea9e 93674->93671 93676 42cc00 93675->93676 93677 42cc11 RtlAllocateHeap 93676->93677 93677->93674 93678 42be83 93679 42be9d 93678->93679 93682 1552df0 LdrInitializeThunk 93679->93682 93680 42bec5 93682->93680 93754 42fc93 93755 42fc03 93754->93755 93756 42fc60 93755->93756 93757 42ea83 RtlAllocateHeap 93755->93757 93758 42fc3d 93757->93758 93759 42e9a3 RtlFreeHeap 93758->93759 93759->93756 93760 424c33 93761 424c4f 93760->93761 93762 424c77 93761->93762 93763 424c8b 93761->93763 93765 42c8b3 NtClose 93762->93765 93764 42c8b3 NtClose 93763->93764 93767 424c94 93764->93767 93766 424c80 93765->93766 93770 42eac3 RtlAllocateHeap 93767->93770 93769 424c9f 93770->93769 93683 417983 93684 4179a7 93683->93684 93685 4179e3 LdrLoadDll 93684->93685 93686 4179ae 93684->93686 93685->93686 93771 413e53 93772 413e73 93771->93772 93774 413edc 93772->93774 93776 41b613 RtlFreeHeap LdrInitializeThunk 93772->93776 93775 413ed2 93776->93775 93777 413c73 93780 42cb43 93777->93780 93781 42cb5d 93780->93781 93784 1552c70 LdrInitializeThunk 93781->93784 93782 413c95 93784->93782 93687 401be3 93688 401b78 93687->93688 93689 401be9 93687->93689 93692 430033 93688->93692 93695 42e553 93692->93695 93696 42e579 93695->93696 93705 407523 93696->93705 93698 42e58f 93699 401bda 93698->93699 93708 41b303 93698->93708 93701 42e5ae 93702 42e5c3 93701->93702 93703 42cc83 ExitProcess 93701->93703 93719 42cc83 93702->93719 93703->93702 93722 416643 93705->93722 93707 407530 93707->93698 93709 41b32f 93708->93709 93740 41b1f3 93709->93740 93712 41b374 93714 41b390 93712->93714 93717 42c8b3 NtClose 93712->93717 93713 41b35c 93715 41b367 93713->93715 93746 42c8b3 93713->93746 93714->93701 93715->93701 93718 41b386 93717->93718 93718->93701 93720 42cc9d 93719->93720 93721 42ccae ExitProcess 93720->93721 93721->93699 93723 416660 93722->93723 93725 416679 93723->93725 93726 42d313 93723->93726 93725->93707 93727 42d32d 93726->93727 93728 42d35c 93727->93728 93733 42bed3 93727->93733 93728->93725 93731 42e9a3 RtlFreeHeap 93732 42d3d5 93731->93732 93732->93725 93734 42bef0 93733->93734 93737 1552c0a 93734->93737 93735 42bf1c 93735->93731 93738 1552c11 93737->93738 93739 1552c1f LdrInitializeThunk 93737->93739 93738->93735 93739->93735 93741 41b2e9 93740->93741 93742 41b20d 93740->93742 93741->93712 93741->93713 93749 42bf73 93742->93749 93745 42c8b3 NtClose 93745->93741 93747 42c8cd 93746->93747 93748 42c8de NtClose 93747->93748 93748->93715 93750 42bf90 93749->93750 93753 15535c0 LdrInitializeThunk 93750->93753 93751 41b2dd 93751->93745 93753->93751 93785 1552b60 LdrInitializeThunk

              Executed Functions

              Function 00417983 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 27 417983-41799f 28 4179a7-4179ac 27->28 29 4179a2 call 42f6a3 27->29 30 4179b2-4179c0 call 42fca3 28->30 31 4179ae-4179b1 28->31 29->28 34 4179d0-4179e1 call 42e023 30->34 35 4179c2-4179cd call 42ff43 30->35 40 4179e3-4179f7 LdrLoadDll 34->40 41 4179fa-4179fd 34->41 35->34 40->41
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004179F5
              Memory Dump Source
              • Source File: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_vTHGfiwMDeoOH5a.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 352a911c7d75b054859a4398694d1711e84ed81b6f2a009f0faaad9a1ff4d0c8
              • Instruction ID: c7a968f45a459e0633ba3b3c9d85e8edd550cd31cb490a104a89d8a481d041c1
              • Opcode Fuzzy Hash: 352a911c7d75b054859a4398694d1711e84ed81b6f2a009f0faaad9a1ff4d0c8
              • Instruction Fuzzy Hash: BA0152B5E0010DA7DB10DAA5DC42FDEB3789B14308F4041A6E90897240F635EB588B95
              Function 0042C8B3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 52 42c8b3-42c8ec call 404843 call 42db13 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C8E7
              Memory Dump Source
              • Source File: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_vTHGfiwMDeoOH5a.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 1f2e55867fb49e0edbdfca481a993cadd69b59c11f28a48fb14a12efc8519f18
              • Instruction ID: d5d408aa627ccc7809f1817482fdcd7888bd1ae54e0b5777c1bc992e71757020
              • Opcode Fuzzy Hash: 1f2e55867fb49e0edbdfca481a993cadd69b59c11f28a48fb14a12efc8519f18
              • Instruction Fuzzy Hash: 95E04F363002147BDA20BA5ADC41FDB775CDBC9754F004419FB0DA7282D670BA0086E5
              Function 01552B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 66 1552b60-1552b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 7721fd2c83a9408983c063f0f6876968fca42f3f2c22d90d88f62310432644eb
              • Instruction ID: e62c8e289c433a2b59773b08029637a605623fc047e3eccb080a8e290743bd8f
              • Opcode Fuzzy Hash: 7721fd2c83a9408983c063f0f6876968fca42f3f2c22d90d88f62310432644eb
              • Instruction Fuzzy Hash: B59002A12025000341057158441461A404EA7E0211B59C421E5014A90DC56589916265
              Function 01552DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 68 1552df0-1552dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d719ef23410cb3da2252790e230c93b4e902a8f541c29a03e127f813efa6d8a9
              • Instruction ID: 23a4a5f42e3282e9c80e27904049abbf83cae661eea65438f09298dc425973f7
              • Opcode Fuzzy Hash: d719ef23410cb3da2252790e230c93b4e902a8f541c29a03e127f813efa6d8a9
              • Instruction Fuzzy Hash: 1F90027120150413D1117158450470B004DA7D0251F99C812A4424A58DD6968A52A261
              Function 01552C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 67 1552c70-1552c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 0df5472cdf3baf70d0fa522b6b14c7201e75628ccfac7c0be9ad352b4e56d10c
              • Instruction ID: fcd417f37c7315818ae5ba4386526509433bcc75b35225ce09e7c05bdde14bed
              • Opcode Fuzzy Hash: 0df5472cdf3baf70d0fa522b6b14c7201e75628ccfac7c0be9ad352b4e56d10c
              • Instruction Fuzzy Hash: 3D90027120158802D1107158840474E0049A7D0311F5DC811A8424B58DC6D589917261
              Function 015535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 69 15535c0-15535cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: df5bac9e3676624f1b249e0e2493cdc330610162412950a165c92b8bb14be913
              • Instruction ID: 3158f90ae95c1cc535f8574225d220287b1885343fd1dea0142d2eed21e5db29
              • Opcode Fuzzy Hash: df5bac9e3676624f1b249e0e2493cdc330610162412950a165c92b8bb14be913
              • Instruction Fuzzy Hash: F590027160560402D1007158451470A1049A7D0211F69C811A4424A68DC7D58A5166E2
              Function 0042CBE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 42 42cbe3-42cc27 call 404843 call 42db13 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E7BE,?,?,00000000,?,0041E7BE,?,?,?), ref: 0042CC22
              Memory Dump Source
              • Source File: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_vTHGfiwMDeoOH5a.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: b6deca932c6654ca86d4eb412088f9019d810c86403fd3c820abf9ad62f2039c
              • Instruction ID: 1503fd3026b6a6c884018fb1076d2efb6d6f5d3df5eecbcf58bdfa754225d855
              • Opcode Fuzzy Hash: b6deca932c6654ca86d4eb412088f9019d810c86403fd3c820abf9ad62f2039c
              • Instruction Fuzzy Hash: B7E06D762042047BDA10EE59DC41FDB37ACEFC8714F004419FE08A7241E770B9108AB8
              Function 0042CC33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 47 42cc33-42cc77 call 404843 call 42db13 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,C4830C75,00000007,00000000,00000004,00000000,0041720F,000000F4), ref: 0042CC72
              Memory Dump Source
              • Source File: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_vTHGfiwMDeoOH5a.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 38eafd8a1ea63597223e5a1425a7c26f04ed257e1e495f63d6fb01429785e211
              • Instruction ID: 1c873b0a11d26d802b22e0b7b45bc634ffb0764c5d8b412d7deec3f1fea9b478
              • Opcode Fuzzy Hash: 38eafd8a1ea63597223e5a1425a7c26f04ed257e1e495f63d6fb01429785e211
              • Instruction Fuzzy Hash: 8AE06D763002057BD610EE59EC41EAB77ACEFC8714F104429FE08A7282DA70B9108BB8
              Function 0042CC83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 57 42cc83-42ccbc call 404843 call 42db13 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_vTHGfiwMDeoOH5a.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 657fc2068f50c85c9734239eb842ba7256170667a099f2beb8aaa4f4faf4d97b
              • Instruction ID: ed91766b2cb9a97b247fab496e5ef85578791cc222d617aa0471655d34f62498
              • Opcode Fuzzy Hash: 657fc2068f50c85c9734239eb842ba7256170667a099f2beb8aaa4f4faf4d97b
              • Instruction Fuzzy Hash: 0DE04F763002147BD620EA5ADC42F97775CDFC5714F004429FA0CA7286D674BA0086B4
              Function 01552C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 62 1552c0a-1552c0f 63 1552c11-1552c18 62->63 64 1552c1f-1552c26 LdrInitializeThunk 62->64
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 05b80631f3484eb81599259fea08a4705200d8bff737d49eff4a92469a4e6fc0
              • Instruction ID: 5760267de3333edd6d20e25d5483df40e34ab16ffcb5404d326692ae926ce68e
              • Opcode Fuzzy Hash: 05b80631f3484eb81599259fea08a4705200d8bff737d49eff4a92469a4e6fc0
              • Instruction Fuzzy Hash: 61B09B719015C5D5DB51E764460871F794477D0711F19C462D6030B41F4778C1D1E3B5

              Non-executed Functions

              Function 01592349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 9db370fbf3e368eead41da4fe7e8be637ccfb8b40706cbff40501acc8814bb46
              • Instruction ID: 9f519b4b8c7f812f5e1e854f7798a42845e7ffb91f767eb49039e45a9a732545
              • Opcode Fuzzy Hash: 9db370fbf3e368eead41da4fe7e8be637ccfb8b40706cbff40501acc8814bb46
              • Instruction Fuzzy Hash: 62928C71608342AFEB21DF29C880B6BB7E8BB84754F04491DFA95DB291D774E844CB93
              Function 01548620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • undeleted critical section in freed memory, xrefs: 0158542B
              • Critical section debug info address, xrefs: 0158541F, 0158552E
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0158540A, 01585496, 01585519
              • Thread identifier, xrefs: 0158553A
              • Thread is in a state in which it cannot own a critical section, xrefs: 01585543
              • Invalid debug info address of this critical section, xrefs: 015854B6
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015854E2
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015854CE
              • Critical section address, xrefs: 01585425, 015854BC, 01585534
              • Address of the debug info found in the active list., xrefs: 015854AE, 015854FA
              • 8, xrefs: 015852E3
              • corrupted critical section, xrefs: 015854C2
              • Critical section address., xrefs: 01585502
              • double initialized or corrupted critical section, xrefs: 01585508
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: f422decd76389ec97508cea3bf2f1b4f52e08261589adb81214fc5b055f60eed
              • Instruction ID: 3f8c295831113149669cd43554cef94153c3952642763f37fc1c7d74b3efd671
              • Opcode Fuzzy Hash: f422decd76389ec97508cea3bf2f1b4f52e08261589adb81214fc5b055f60eed
              • Instruction Fuzzy Hash: 3D818E71A41349AFDB21DF99C845BAEBBF5FB48714F20415EF604BB260E371A940CB60
              Function 015429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01582624
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01582506
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015825EB
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01582412
              • @, xrefs: 0158259B
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0158261F
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015824C0
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01582602
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015822E4
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01582498
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01582409
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: 791f0600c3e910d1fb5afda6665f9bc3500adb6a779d8a9aad4ac68ef26f8360
              • Instruction ID: 3f31beec2bec6181c828690acb270e96aaccf10d0354ba7f7086ed9ed607ae2c
              • Opcode Fuzzy Hash: 791f0600c3e910d1fb5afda6665f9bc3500adb6a779d8a9aad4ac68ef26f8360
              • Instruction Fuzzy Hash: 1A0250B1D002299BDB31DB54CD80B9DBBB8BF54314F4045EAA609BB251EB709E84CF69
              Function 015B8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: df42e1f4859f4d4fe90dd21e04d032cc1e814b6522d86ec62b69d5cd305a2da3
              • Instruction ID: 7e6331b08768e4b26bea0a3c1af2d4d6396de6f5c42954fb369c13fd9def7146
              • Opcode Fuzzy Hash: df42e1f4859f4d4fe90dd21e04d032cc1e814b6522d86ec62b69d5cd305a2da3
              • Instruction Fuzzy Hash: 6151AFB15043069BD329DF18C888BEBBBECBF94651F245A1EA9598B250E770D604CBD2
              Function 015C0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 9d39f643c01afcb9c573cee44f83395e3a111b652289ec83101f73cb75184c5c
              • Instruction ID: b21dd342cd8e8b402ac112c0325a8b2fe2479686365db4c5163b9ddf8198a746
              • Opcode Fuzzy Hash: 9d39f643c01afcb9c573cee44f83395e3a111b652289ec83101f73cb75184c5c
              • Instruction Fuzzy Hash: B6D1BD39500686DFDB22DFA8C880AAEFBF1FF99A14F18845DE5459F292C734D981CB50
              Function 015989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • VerifierDlls, xrefs: 01598CBD
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01598A67
              • VerifierDebug, xrefs: 01598CA5
              • AVRF: -*- final list of providers -*- , xrefs: 01598B8F
              • VerifierFlags, xrefs: 01598C50
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01598A3D
              • HandleTraces, xrefs: 01598C8F
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: 53dbe6b8fbb3f838aedd495211f5215403f3de5790be963c2feb08f568dea17e
              • Instruction ID: 793fcd863c958184ded9f7cd2140bf95345f9d2525ef1b879cfa6e55ab0a36d3
              • Opcode Fuzzy Hash: 53dbe6b8fbb3f838aedd495211f5215403f3de5790be963c2feb08f568dea17e
              • Instruction Fuzzy Hash: 9591247264170AAFDB22EF68CC80B1B7BE5BF95714F484819FA416F291C770AC50CB92
              Function 0151EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: a009ce8c8d768414ff796cecd9a1d7938995c4885ecb8ae644978a34c7d1bd26
              • Instruction ID: 6883b5adecb710c90535ec5a6abfdba740a244575e3a20a9729428ce4c463e90
              • Opcode Fuzzy Hash: a009ce8c8d768414ff796cecd9a1d7938995c4885ecb8ae644978a34c7d1bd26
              • Instruction Fuzzy Hash: 64A24B74A0562A8FEB66CF18DC897ADBBB5BF45304F1442DAD90DAB254DB309E85CF00
              Function 015463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 80160fd9ad76e234408916fa4118bc7508477e8714c6159ad3e49f9fc7170982
              • Instruction ID: 2e19a94e0c42a3a34afaf4775deddf28dcce6e3ed43ac6bfed46252303ce645a
              • Opcode Fuzzy Hash: 80160fd9ad76e234408916fa4118bc7508477e8714c6159ad3e49f9fc7170982
              • Instruction Fuzzy Hash: D991F531B003179BEB26EF58DC89BAF7BA1BB51B18F10011ED9027F281D7B49811CB91
              Function 0150645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • apphelp.dll, xrefs: 01506496
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01569A01
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015699ED
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01569A2A
              • minkernel\ntdll\ldrinit.c, xrefs: 01569A11, 01569A3A
              • LdrpInitShimEngine, xrefs: 015699F4, 01569A07, 01569A30
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: ecf5d5227b1a59d3e90f008cd2954a67d64ab8a13e8911c3da3249f0488cc970
              • Instruction ID: 1af4f162eed9050175a5fde6b029fdb8e03af669cc529895d133021642d8c18c
              • Opcode Fuzzy Hash: ecf5d5227b1a59d3e90f008cd2954a67d64ab8a13e8911c3da3249f0488cc970
              • Instruction Fuzzy Hash: 6851BF712583059FD722DF64CC41AAFB7E8FB84648F50091EF5859F2A0D7B0E954CBA2
              Function 01542674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01582178
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015821BF
              • RtlGetAssemblyStorageRoot, xrefs: 01582160, 0158219A, 015821BA
              • SXS: %s() passed the empty activation context, xrefs: 01582165
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0158219F
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01582180
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: 517b42c4099f3f657bf6def0630d53bb517a92a30aed2e0e0ffdc3d8daffec3e
              • Instruction ID: 01b440d1a1bb62d2b43c3c612402310e7ed778d34b4d8b8fdcf9e718dd34ed9d
              • Opcode Fuzzy Hash: 517b42c4099f3f657bf6def0630d53bb517a92a30aed2e0e0ffdc3d8daffec3e
              • Instruction Fuzzy Hash: 0131053AF402257BFB21DA999C41F5E7EB8FFA4A94F15005EBB04BF250D2709A00C6A1
              Function 0154C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 0154C6C3
              • minkernel\ntdll\ldrredirect.c, xrefs: 01588181, 015881F5
              • Loading import redirection DLL: '%wZ', xrefs: 01588170
              • LdrpInitializeImportRedirection, xrefs: 01588177, 015881EB
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 015881E5
              • LdrpInitializeProcess, xrefs: 0154C6C4
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: e21ee65b6da0da48e9a596fbd3e61d88f7e4955bca3b847a24d0132c8d48ff84
              • Instruction ID: 3ed6370d9000e8d3f632e850a87ba4c7ccde96c894049da8bef8ef3c15166f13
              • Opcode Fuzzy Hash: e21ee65b6da0da48e9a596fbd3e61d88f7e4955bca3b847a24d0132c8d48ff84
              • Instruction Fuzzy Hash: 6231CC716447029BC324EE28DD4AE2AB7E5FBD4B14F00091CF981AF291EA60EC04C7A2
              Function 0155096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01552DF0: LdrInitializeThunk.NTDLL ref: 01552DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01550BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01550BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01550D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01550D74
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: 33e368543e9d9fd93d5a370f4ce69fc4fe956ffb32bcc405c510b9e23803b99f
              • Instruction ID: f8421e90c51f3fbe91b25822da370af6f1f270098ec81bd4c75a30ace016f82a
              • Opcode Fuzzy Hash: 33e368543e9d9fd93d5a370f4ce69fc4fe956ffb32bcc405c510b9e23803b99f
              • Instruction Fuzzy Hash: 44426B75900716DFDB61CF68C890BAAB7F4BF44314F1445AAE989EF241E770AA84CF60
              Function 0151A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: b15569ee63939428dfa1a76c62b83129ec7039a81244ac055ebc2a2307be7254
              • Instruction ID: 54950ea036bf9ffebd041b809fc5759238fbc71ef56e625c3ccfcd6ad16df240
              • Opcode Fuzzy Hash: b15569ee63939428dfa1a76c62b83129ec7039a81244ac055ebc2a2307be7254
              • Instruction Fuzzy Hash: D8C17974509382CFEB23DF58C044B6AB7E4BF84704F04486AF9958F259E778CA49CB52
              Function 01548402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 01548421
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0154855E
              • LdrpInitializeProcess, xrefs: 01548422
              • @, xrefs: 01548591
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: a73f76ea2caa2610619cbbbdc1b5d68bba468df8843362b5cb87d46f5746edf8
              • Instruction ID: 74b9385ada762795a9b03095eb021b38f19245b30a2af96785c948a391f2512f
              • Opcode Fuzzy Hash: a73f76ea2caa2610619cbbbdc1b5d68bba468df8843362b5cb87d46f5746edf8
              • Instruction Fuzzy Hash: 75919C71558346AFD722EF65CC40EAFBBE8BF84758F40492EFA849A151E334D904CB62
              Function 0154273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015822B6
              • .Local, xrefs: 015428D8
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015821D9, 015822B1
              • SXS: %s() passed the empty activation context, xrefs: 015821DE
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 99d57482078f2a0b4ee87907b610b89330df6efbb3b2620551eccac9a682138f
              • Instruction ID: f90040c382092b2133a8633aecfe70ca3cf93807732d3eb99a40525d758ac2fa
              • Opcode Fuzzy Hash: 99d57482078f2a0b4ee87907b610b89330df6efbb3b2620551eccac9a682138f
              • Instruction Fuzzy Hash: 90A1C13590022ADBDB24DF58DC88BA9B7B1BF58358F1541EAE909AF251D7309EC0CF90
              Function 01544AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
              Download Yara Rule
              Strings
              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0158342A
              • RtlDeactivateActivationContext, xrefs: 01583425, 01583432, 01583451
              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01583456
              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01583437
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
              • API String ID: 0-1245972979
              • Opcode ID: 80e56ab0811c5b78ae1245d749e6f6c883cfcc5d9d3fca0fbd84406e7f0d284c
              • Instruction ID: 7882de1f9c6a789f57a9a68dc70bbba5d990ff2887d116cc0914d18d73396f60
              • Opcode Fuzzy Hash: 80e56ab0811c5b78ae1245d749e6f6c883cfcc5d9d3fca0fbd84406e7f0d284c
              • Instruction Fuzzy Hash: 136145326807129BDB22DF1DC845B2EBBE5FF80B24F18852DE955AF260D730E801CB95
              Function 015164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01571028
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015710AE
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0157106B
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01570FE5
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: e4a86382185a62209217fd7dc86daa788955094cb0b1b7cf1cfd665652741051
              • Instruction ID: d71b8d0d0c94009eb7dd71454c0723628b302b7521414caf52f42395ef041081
              • Opcode Fuzzy Hash: e4a86382185a62209217fd7dc86daa788955094cb0b1b7cf1cfd665652741051
              • Instruction Fuzzy Hash: C371DFB19043069FDB22DF14C885B9B7FA8BF95764F400869F9498F18AD374D588CBD2
              Function 0153245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • apphelp.dll, xrefs: 01532462
              • minkernel\ntdll\ldrinit.c, xrefs: 0157A9A2
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0157A992
              • LdrpDynamicShimModule, xrefs: 0157A998
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: d7ee9dfe90af078a8d688f6bd4758eb57d4bb98284dfb548a42f2d2531eb3772
              • Instruction ID: 76227091e0ff52fa958161045adc766bed000c3283b91992e27211ac9164dfae
              • Opcode Fuzzy Hash: d7ee9dfe90af078a8d688f6bd4758eb57d4bb98284dfb548a42f2d2531eb3772
              • Instruction Fuzzy Hash: 77311871640202ABDB37AF5DEC86A6F77B5FBC4700F1A0059E9016F255D7B05961C790
              Function 015229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0152327D
              • HEAP: , xrefs: 01523264
              • HEAP[%wZ]: , xrefs: 01523255
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: f8f0c089bcc56b2f111a0f659e5937a7633797e8236ade126d3d2885ffba492b
              • Instruction ID: 703164242bf654b0fb58fe7f39c3be503c5f8f35fc6238454f7880f78737e395
              • Opcode Fuzzy Hash: f8f0c089bcc56b2f111a0f659e5937a7633797e8236ade126d3d2885ffba492b
              • Instruction Fuzzy Hash: 3992CF76A042699FDB25CF68C4447AEBBF1FF4A300F188499E859AF391D738A941CF50
              Function 01520770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 435c7d4c60ce332ef2c7616235331834f1bc8e4d8d03f01d5c00c2c54f8d29e7
              • Instruction ID: 92b5b29063f995fedf5d7fbd7242929826221bf04c57bf40c25c9b91b4144307
              • Opcode Fuzzy Hash: 435c7d4c60ce332ef2c7616235331834f1bc8e4d8d03f01d5c00c2c54f8d29e7
              • Instruction Fuzzy Hash: C1F19831A01616DFEB26CF68D884B6AB7F5FB86300F148569E5469F3D1E730E981CB90
              Function 01536962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: 0b249f763ad70efbe68faa13077be6593b05e3ac764abe414e3183f47c558088
              • Instruction ID: 4ef2f9b5f5c5673add816d2ba1a88142c1c8fa19eeceb240129895153d93aaf9
              • Opcode Fuzzy Hash: 0b249f763ad70efbe68faa13077be6593b05e3ac764abe414e3183f47c558088
              • Instruction Fuzzy Hash: 7BC25CB1A083429FD725CF29C881BABBBE5BFC8754F04892DF9898B241D734D945CB52
              Function 0150A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 32add2676c2e52b2ca43a62fd3db2dd666c79ce2897fdaed7deca6dba356f127
              • Instruction ID: a6036194617d1a056356938041df6cd770e4e1fde09cdca0ddc58c77d8b29b2f
              • Opcode Fuzzy Hash: 32add2676c2e52b2ca43a62fd3db2dd666c79ce2897fdaed7deca6dba356f127
              • Instruction Fuzzy Hash: E5A1607191162A9BDB31DF64CC88BADB7B8FF44711F1041EAD909AB250E7359E84CF90
              Function 01530BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 0157A121
              • Failed to allocated memory for shimmed module list, xrefs: 0157A10F
              • LdrpCheckModule, xrefs: 0157A117
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: 18824fc2eedddbe249acd998bb644140021b40021221b68ede024a37752e53a0
              • Instruction ID: 156cc32ac362b376e7cf12cd70a70a1010ce9d69fa1e80b96479b00eb738b8c8
              • Opcode Fuzzy Hash: 18824fc2eedddbe249acd998bb644140021b40021221b68ede024a37752e53a0
              • Instruction Fuzzy Hash: CA71D071A00306DFDB2ADF68DD81ABEB7F4FB84604F18446DE8029B295E734A951CB50
              Function 01520A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-1334570610
              • Opcode ID: aaf88fcc8b2ada69cec6f7683f0ead47f6d4351dcc200848815b4366b7da9514
              • Instruction ID: c4ae58affa1c8faafb9e5ecee80ab23b052b5690e74954b2eef5f23035b6ac3a
              • Opcode Fuzzy Hash: aaf88fcc8b2ada69cec6f7683f0ead47f6d4351dcc200848815b4366b7da9514
              • Instruction Fuzzy Hash: 0661CE72611316DFDB29CF28D885B6ABBE1FF45304F14895AE4498F2D2D7B0E881CB91
              Function 0154C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 015882E8
              • Failed to reallocate the system dirs string !, xrefs: 015882D7
              • LdrpInitializePerUserWindowsDirectory, xrefs: 015882DE
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 148f68b864566bafab3315b4156e79b782d7990289e12912cc5c9d9f1085e372
              • Instruction ID: 8c3f04bf02523926d04acc10bc3322de17e6ed7347111bce9e0d2d0f91142e0d
              • Opcode Fuzzy Hash: 148f68b864566bafab3315b4156e79b782d7990289e12912cc5c9d9f1085e372
              • Instruction Fuzzy Hash: C041F171151312ABD722EB68DC40B5B77E8FF84754F00492EF9499B2A1E770E810CB92
              Function 015CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 015CC1C5
              • PreferredUILanguages, xrefs: 015CC212
              • @, xrefs: 015CC1F1
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 3cb8cd805833a1109135aec1216e140cbc8bec47e3429e359f62fbaf49091f70
              • Instruction ID: 4f7d768f202aa7e34f539c0cbf492db3431f7b40f9ecaa22fe783261b0a948a5
              • Opcode Fuzzy Hash: 3cb8cd805833a1109135aec1216e140cbc8bec47e3429e359f62fbaf49091f70
              • Instruction Fuzzy Hash: CE417471E1021AEFDF11DED8C851BEEBBB9BB54B00F14406EEA49BB280D7749A44CB50
              Function 015A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 34bd29824ef112ef010f8a0c2ca28a2f7295c3dcafc32275647042785f07899c
              • Instruction ID: 6f867cd66a7a0dc3b3414ab70c435a1cf8631ec4397133772ea10d42a873f86e
              • Opcode Fuzzy Hash: 34bd29824ef112ef010f8a0c2ca28a2f7295c3dcafc32275647042785f07899c
              • Instruction Fuzzy Hash: 3A412632A406598BEB26DBE8C840BADBBF4FF95340F58046AD901EF392D7B49901CB10
              Function 01594755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 01594899
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01594888
              • LdrpCheckRedirection, xrefs: 0159488F
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 4fa24fcb4edd7ac46de1fdc7bc1cc8ead5f6264609b21644434de0d44f99b7bd
              • Instruction ID: 069cb83f8bf9a0800a8ca46dadfd17a9fc202f55d5d1038951ff6db7d66b59b0
              • Opcode Fuzzy Hash: 4fa24fcb4edd7ac46de1fdc7bc1cc8ead5f6264609b21644434de0d44f99b7bd
              • Instruction Fuzzy Hash: DD41BE32A142559FCF22CF69DA40A2B7BE4FF89A50B05056DED499F312E730DC12CB92
              Function 01520BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: a6c887d5e4e2d38d19c5d5569f293a59862c46f192a914d8e746911a470a6297
              • Instruction ID: be0da3210182d33db1a9fb0a29e69686121cf83442c6aafc9ffd8d8b1df6e945
              • Opcode Fuzzy Hash: a6c887d5e4e2d38d19c5d5569f293a59862c46f192a914d8e746911a470a6297
              • Instruction Fuzzy Hash: 7611C0323661129FDB2ACB28D886B2AB3A6FF81616F148519F4068F2D1E734D841C755
              Function 015920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • LdrpInitializationFailure, xrefs: 015920FA
              • minkernel\ntdll\ldrinit.c, xrefs: 01592104
              • Process initialization failed with status 0x%08lx, xrefs: 015920F3
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: fbed2aaa82cab049ace60566d63b2b6d75314d06189409f9838b825d8457b16a
              • Instruction ID: 3e1b1029a9fb4197a706f5e5857b9611bc8ba7d97b9406769f3dfd62cb411fd4
              • Opcode Fuzzy Hash: fbed2aaa82cab049ace60566d63b2b6d75314d06189409f9838b825d8457b16a
              • Instruction Fuzzy Hash: F9F0AF75640209BBEB24E64DCD46FAA3768FB80B54F60045EFB006B281E2F0A950CA92
              Function 015203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: b5fbc1348469ed351e485a6b16d1f863bd772e97f80e77a4de9b72726503b7f8
              • Instruction ID: be1531644955fdcc375de38746f3c86c0ac95373a647a79ca4849ae35d817148
              • Opcode Fuzzy Hash: b5fbc1348469ed351e485a6b16d1f863bd772e97f80e77a4de9b72726503b7f8
              • Instruction Fuzzy Hash: 57716B72A0011A9FDB01DFA8D995BAEB7F8FF48344F144065E905EB291EB34ED01CBA1
              Function 0151A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Enter, xrefs: 0151AA13
              • LdrResSearchResource Exit, xrefs: 0151AA25
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: d6d55aba0054560d5f8d46a8ed0674973746da53c5a9673b4f703f515680d3bd
              • Instruction ID: f5b8c2433c66a068aaf068b3b8c829ab224b6d86e6456c55cffb2865df02f758
              • Opcode Fuzzy Hash: d6d55aba0054560d5f8d46a8ed0674973746da53c5a9673b4f703f515680d3bd
              • Instruction Fuzzy Hash: BDE19072E012999FFB23CFA9D981BAEBBB9BF44310F140826E911EF255D7749940CB50
              Function 015DA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: aae62bcca773d01fcb8edc9727b94b4f192acf4f4bf0541e229058eb928143ce
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 44C189312043429BEB35CE2CC841B6BBBE5BFC4318F184A2DF6968B291D7B4D545CB92
              Function 0158E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 393df95aef34a36125f9a29aeed0942ad5e13402ee2bbaa15d417488705ee01b
              • Instruction ID: fc320cb635ebb747bf0d0025d7166d360c4ac42fbac4002f6430d39aa3bad1e8
              • Opcode Fuzzy Hash: 393df95aef34a36125f9a29aeed0942ad5e13402ee2bbaa15d417488705ee01b
              • Instruction Fuzzy Hash: 3D614B71E102199FDB15EFA98841BAEBBF5FB44700F14446EEA49EF251D731A940CF50
              Function 015B43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: 17ab467ffb1c07752dc9c92d8834e6df8f664067f53f7b7c8fdec1e2b22052cf
              • Instruction ID: 013ff9dd9edde744c317e6a569e4271113fe246d6a3f0d4769a445cb1fff89ae
              • Opcode Fuzzy Hash: 17ab467ffb1c07752dc9c92d8834e6df8f664067f53f7b7c8fdec1e2b22052cf
              • Instruction Fuzzy Hash: 2E510A71D0061EAFDF11DFE9CC90AEEBBB8FB48754F10052AEA11BB291D6349905CB60
              Function 015104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0151063D
              • kLsE, xrefs: 01510540
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: ce927f428a3118fd622bb5320239c12b1eddadac1adccaed94176a257faf4324
              • Instruction ID: 33ccc9aea486f8c5f1ed59a008971a21ac12c070dcc840dddab79eb852c6dfe7
              • Opcode Fuzzy Hash: ce927f428a3118fd622bb5320239c12b1eddadac1adccaed94176a257faf4324
              • Instruction Fuzzy Hash: E451B1715047428BE726EF28C5406ABBBE4BF84304F104C3EF6998B285E774D585CF92
              Function 0151A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0151A309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0151A2FB
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: fcc3aaf005d15388f701acc4c6e67a20d27af3b8f6c6682cf4ac5987984127d2
              • Instruction ID: d53fdcf51539ee05c02644a6e9759fc773a246be6db538d481ebb6d9dbbc4035
              • Opcode Fuzzy Hash: fcc3aaf005d15388f701acc4c6e67a20d27af3b8f6c6682cf4ac5987984127d2
              • Instruction Fuzzy Hash: 7641AB71A01696CBEB138F69D840B6EBBF4BF85700F1444A9E904DF299E2B5DA40CB50
              Function 0154A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 228af15e90b648d5fb249fb504d690bad069bd887e3e8be7010d8afd087bb893
              • Instruction ID: 876849e07bbf025aa7c04e7c2688a52af4b8dab75a8f9c79e94a20145fbc3481
              • Opcode Fuzzy Hash: 228af15e90b648d5fb249fb504d690bad069bd887e3e8be7010d8afd087bb893
              • Instruction Fuzzy Hash: 9901F4B2694700AFD351DF24CD49F1677E8F78471AF00893AA649CB190E774D814DB4A
              Function 0151C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: fc1d1cfe7aae7c9670c4b3e2aa6c84d1e8f19d13d9b00a2d440c1843463da437
              • Instruction ID: 42c9a4af75a59a770edc3bd67cf5e3c2a90d8c1cc73aa58e2a3b6d666db6a0b3
              • Opcode Fuzzy Hash: fc1d1cfe7aae7c9670c4b3e2aa6c84d1e8f19d13d9b00a2d440c1843463da437
              • Instruction Fuzzy Hash: D8827B75E402198FEB26CFA8C884BEDBBB1BF48310F148169E919AF358D775AD41CB50
              Function 01596420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: f3ba1904705fccfe65d0887bf9868f48454fb7ca512aee21f31fa9cf19e2078d
              • Instruction ID: e52bb155acc100e879c3e17bcd83919526a55bfd6be766d900cbac2fd7b05b3b
              • Opcode Fuzzy Hash: f3ba1904705fccfe65d0887bf9868f48454fb7ca512aee21f31fa9cf19e2078d
              • Instruction Fuzzy Hash: FC914D7294021AABEF21DB95CD85FAEBBB8FF59750F100065F600AF190D674A904CBA1
              Function 015BE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 663e4afde025aa2ae42453f0a835d4fb0188104d0c17d75ee97b7368be72dc83
              • Instruction ID: 4dd148fa2a9d1ac1dac9edbd99246253779741e563df5896d1da0b1f071d19d8
              • Opcode Fuzzy Hash: 663e4afde025aa2ae42453f0a835d4fb0188104d0c17d75ee97b7368be72dc83
              • Instruction Fuzzy Hash: 44917E3290160AAFDB26ABA5DC85FEFBBB9FF85750F180025F501AB250E774A941CB50
              Function 0154A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: 08298764a4d7ce89c8c68e0b51bb23e9cfc7e5e63ff82c22981ac3c6772fcbe0
              • Instruction ID: aa24e2feff1444dad710fdf2291df412bcb58c67f20248a6637e4641aa8e8962
              • Opcode Fuzzy Hash: 08298764a4d7ce89c8c68e0b51bb23e9cfc7e5e63ff82c22981ac3c6772fcbe0
              • Instruction Fuzzy Hash: AC716DB5E0020A8FDF29EF9CD5906ADBBF1BF88700F14852AE506BF241E7309941CB90
              Function 015B4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: 4f005dfb1c50fdf2cba08b9d7f9bf4af729aabf87b3306130397f69b28717d16
              • Instruction ID: c46e33de64ddf452b27a3aa87b0bda64afc0c510647e4f39265f5eca13fcd755
              • Opcode Fuzzy Hash: 4f005dfb1c50fdf2cba08b9d7f9bf4af729aabf87b3306130397f69b28717d16
              • Instruction Fuzzy Hash: 8751C972D002269BDF21DF99D880AEEBBB9BF45614F05412AEA16BF251D3749C01CBE4
              Function 0152E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: 75bf4c57ace13ddb4a7156efbe93a68046ae92253284cd67f55745dbe7435e82
              • Instruction ID: e23b92079df36429213f7d8a50e1a0b5ec065d1653327ce5085e6da086f9dbd0
              • Opcode Fuzzy Hash: 75bf4c57ace13ddb4a7156efbe93a68046ae92253284cd67f55745dbe7435e82
              • Instruction Fuzzy Hash: 4B416F735083629BD721DA65D881B6FBBE8FF89614F48092EF584EF1C0E674D90487A2
              Function 0158C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 3c3a6070d38a440f11062c3dbd489f77ce9df1932b40ca9156574ebe10551c13
              • Instruction ID: a9fe93ed7258190ff6438a4968a54e8bab358864d9d1f1fb19d0423e91f62c20
              • Opcode Fuzzy Hash: 3c3a6070d38a440f11062c3dbd489f77ce9df1932b40ca9156574ebe10551c13
              • Instruction Fuzzy Hash: C44144B1D5012EABDB21EB60CC94FDEB77CBB44714F0045A5AA08BF150DB709E898FA4
              Function 015A6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 2599e5d30200735c49770ec03359e0eec445e36494e148587b94d3d30c89ce0f
              • Instruction ID: 6ff946a87be48dcba68f6ad038abeab4ce565bae22225baa5caafbf828cbf204
              • Opcode Fuzzy Hash: 2599e5d30200735c49770ec03359e0eec445e36494e148587b94d3d30c89ce0f
              • Instruction Fuzzy Hash: 08315D31A803199BDB22DF68CC64BEEBBB8FF44704F984029E940AF282D775D805CB50
              Function 0158CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: BinaryName
              • API String ID: 0-215506332
              • Opcode ID: 812731b5a08f164fd1020fd13b1681f1306a5940f194dae4dacc139711258963
              • Instruction ID: c0f52a01093d6c18aa9e6e508052870640d07cfc6921599062385e194fa921bf
              • Opcode Fuzzy Hash: 812731b5a08f164fd1020fd13b1681f1306a5940f194dae4dacc139711258963
              • Instruction Fuzzy Hash: 3631D13690091AAFEB15EA59C855EAFBBB4FB80720F414169E905BB290D7309E04DBF0
              Function 0159892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0159895E
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: 451352a5cf50c3842b1d9a641ae0abc05a710ef151f8eaecc9dd6b076815fac5
              • Instruction ID: 6c6f77279c8a8e112308cd2d0c25ad3d1126c5ebdb0822beecf782ca8519788c
              • Opcode Fuzzy Hash: 451352a5cf50c3842b1d9a641ae0abc05a710ef151f8eaecc9dd6b076815fac5
              • Instruction Fuzzy Hash: 34012B3231020AAFEF275F56CC88A5B7B65FFC7254B04141CF6460E551CB206C51CB93
              Function 015B2000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 646d7d4cc7bb64e8363ee9c46f898d1c39e2860385b5abd5983e6905ceeb1973
              • Instruction ID: 37eda90dee8545916a10a339d13df0b073ca73fcae3fd8dc78ac4981160a5b4f
              • Opcode Fuzzy Hash: 646d7d4cc7bb64e8363ee9c46f898d1c39e2860385b5abd5983e6905ceeb1973
              • Instruction Fuzzy Hash: A24281716083419BD725CF68C8D0AAFBBE5BF88340F08492DFA969F250D775E845CB62
              Function 015A8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d51b7bdb54a0d006ae69726955cca48e5e23aa7ad36a6fefb8d7fafc017d5eae
              • Instruction ID: e8d51ff02cccdd5eec247aa9d757d647dbb808fbf3e8cf1a3a64c0526079e016
              • Opcode Fuzzy Hash: d51b7bdb54a0d006ae69726955cca48e5e23aa7ad36a6fefb8d7fafc017d5eae
              • Instruction Fuzzy Hash: A7426D75E402198FEB24CF69C881BADBBF5BF88301F54819AE989EB241D7349D85CF50
              Function 01522840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91d6bedebd277390d345575a192cd8064e45800137b46d57e57c66d5952a9bba
              • Instruction ID: f9a61494476730723070ba038d68664983a6cea34686faec641fbbd6b51033aa
              • Opcode Fuzzy Hash: 91d6bedebd277390d345575a192cd8064e45800137b46d57e57c66d5952a9bba
              • Instruction Fuzzy Hash: 69320F74A00B568FEB25CF69D886BBEBBF2BF84304F24451DD4869F285D735A842CB50
              Function 015BA118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cdcb9a4db1ba8ed999f495da8dd29cbb66391dce5c9a9c8798a82de9765c961f
              • Instruction ID: 813e7707124e638f3966decca9f90941d9f04c31ad33a4b58acc48bb9ab1073b
              • Opcode Fuzzy Hash: cdcb9a4db1ba8ed999f495da8dd29cbb66391dce5c9a9c8798a82de9765c961f
              • Instruction Fuzzy Hash: A922BF706046618BEB25CF2DC0D47FABBF1BF45300F18885AE9968F286E775E552CB60
              Function 01516A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68031d448b596c27d0d680e8626e0a9fb51fd2a2dd2a3aeb1a11c24c630c8291
              • Instruction ID: 21609c3a0de129b0625f25accd5461c8be923dcc9c6e174aa63e26a6fdc3bf92
              • Opcode Fuzzy Hash: 68031d448b596c27d0d680e8626e0a9fb51fd2a2dd2a3aeb1a11c24c630c8291
              • Instruction Fuzzy Hash: E632BC75A00605CFEB26CF68D880AAEBBF1FF48300F148569E956AF395D774E841CB90
              Function 01534A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: 2206c29c645965f2a31a40ea3cb9be08cb08a2921afe6cf4c5bab36503e6a1b7
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: 7DF14E71E0061A9BDF15CFA9D594BAEBBF5BF88710F088529E905EF240E774E841CB60
              Function 015A892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cf9e6387f349b8ec01e98ae490c1dc2512c0519eec1fa79839282729d949801
              • Instruction ID: e9cac75e56a4ddc40e4fb6b7721b1156c9ea958efa22e5948ea2563d10c0c0c4
              • Opcode Fuzzy Hash: 4cf9e6387f349b8ec01e98ae490c1dc2512c0519eec1fa79839282729d949801
              • Instruction Fuzzy Hash: 11D11171E4060A8FDF05CF68C850AFEBBF1BF88316F588169D955AB241E735E905CB60
              Function 015165D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f28d2cab20e8864995035606c7e77614101be43d639387f140272b44d3a0be63
              • Instruction ID: 7a773ca1479036c4a15dc6e59cf37128e4f0c1362df7b603566c9da5279f1d04
              • Opcode Fuzzy Hash: f28d2cab20e8864995035606c7e77614101be43d639387f140272b44d3a0be63
              • Instruction Fuzzy Hash: DCE1BE71608342CFD716CF28C090A6EBBE1FF89314F05896DE9998B355EB71E905CB92
              Function 01508397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a271c8d1466b8d4fd7e124679ebb4721558868210be64f526774e6ba777f1547
              • Instruction ID: 0d77a283123015024aeeb9b6a1a0fc249d85dc1fa253d95c1ab800bc37589c74
              • Opcode Fuzzy Hash: a271c8d1466b8d4fd7e124679ebb4721558868210be64f526774e6ba777f1547
              • Instruction Fuzzy Hash: 5BD1C071A006079BDB16DFA8C890EBE77E5BF94304F154629E916DF2C0EB30E955CBA0
              Function 01598243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 39ffe8914c4a17d01db9858e084a9a70e99360711d1ee037fd1c3f24ecdc682c
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: C3B15075A00609AFDF24DF99C940AAFBBB9FF86304F14446DAA42DF790DA34E905CB11
              Function 01520535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 1fd78357da2b0c40a3dc6670cf228165334395e70c7233e6b5936ced0f0e0cf5
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 46B106327016569FDB26DBA8C890BBEBBF6BF85200F180559E5529F3C1D730E941CB90
              Function 015183C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df96f8993b8d4d70e6fad8cd7af14c10cd7c40d64e0f8974626b40df102052e9
              • Instruction ID: 63ff5a713341b47a8d7edc66d5957fee0f05d70341d6dfdd4b91c0b9f679ac2b
              • Opcode Fuzzy Hash: df96f8993b8d4d70e6fad8cd7af14c10cd7c40d64e0f8974626b40df102052e9
              • Instruction Fuzzy Hash: 92C157701083418FE765CF18C485BAEBBE5FF88304F44496DE9898B291E774E908CF92
              Function 0150C427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cbca9597494834b5392e0812c2c3051b0907871a23355e49e64ef8717fa51e7e
              • Instruction ID: 2eb259b11064a7b3c2b0ed94edf5ab2f847a041dd02700b14d066b574ae28e7c
              • Opcode Fuzzy Hash: cbca9597494834b5392e0812c2c3051b0907871a23355e49e64ef8717fa51e7e
              • Instruction Fuzzy Hash: 9AB16274A002568BDB75CF98C890BADB3F5BF85700F0486E9D50AAB291EB31DD85CB60
              Function 0153E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb1d9c61b0f8ffdf84c49c5c641506c446cea54930ffdff083411e537cbef03a
              • Instruction ID: b4f7d9ca20fef582b06d5361af9a1d8a7e7ba9c55fe32ff475a33b0d9c9c7701
              • Opcode Fuzzy Hash: cb1d9c61b0f8ffdf84c49c5c641506c446cea54930ffdff083411e537cbef03a
              • Instruction Fuzzy Hash: 51A14831E006569FEB22DB98D846BAEBBE4FF84750F040112EA21AF2D1D7749D40CBD1
              Function 01550185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc4a5ea31717bb12e2d0da352845d25516bb2ab405e5fbe5b8ec81d0e9af56ba
              • Instruction ID: a27407b520c55b668a9f0352054fe7e6d357ed715489195849777b1d8e0058f9
              • Opcode Fuzzy Hash: cc4a5ea31717bb12e2d0da352845d25516bb2ab405e5fbe5b8ec81d0e9af56ba
              • Instruction Fuzzy Hash: 57A1A170B00616DBDB65DF69C9A1BBEBBE1FF84318F00442AEE45AF281DB34A811C750
              Function 015E4500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c9f1eb6f3a65a1f7dad67f37e40b395a92225f5f384a058fd6f36336a63bcac
              • Instruction ID: 8a569ef2109a67c1d88ea8e062e267b5f7107e81ac8d4e5ff5a893a91993f6d4
              • Opcode Fuzzy Hash: 7c9f1eb6f3a65a1f7dad67f37e40b395a92225f5f384a058fd6f36336a63bcac
              • Instruction Fuzzy Hash: EDA1DC72A14252EFC72ADF18CD84B2ABBE9FF89304F450929E585DF650D334E911CB91
              Function 015E2B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: 1e73a3b71c9ea85f4094f4a17f72c387f3c3fc84d12c57e309fa65364f2ff7a5
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: 1CB13A71E0061ADFDF19CFA9C984AADB7F9FF88310F148169E914AB358D730A951CB90
              Function 015960E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0126e4df0797a1672daf501c5823c92a734dc303c3b58e8241acc3cc75dc688f
              • Instruction ID: a12b506a27ef350fd8fefa8e79a16ffcb84111a789273c4d06de56d35818f904
              • Opcode Fuzzy Hash: 0126e4df0797a1672daf501c5823c92a734dc303c3b58e8241acc3cc75dc688f
              • Instruction Fuzzy Hash: A7917FB1E0021AAFDF15CFA8D894BAEBFB5BF48710F154169E610AF341D734E9049BA1
              Function 0152E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 694040ee54212a7745fea34b853557380cf5913c31fcc2bb3197291a3d95d563
              • Instruction ID: bf75c974d03f1f3007589767ad77a42349378f9527c8487c7a507ad0781e1b65
              • Opcode Fuzzy Hash: 694040ee54212a7745fea34b853557380cf5913c31fcc2bb3197291a3d95d563
              • Instruction Fuzzy Hash: A5912433A006268BEB25DB59D882B7E7BE1FF96724F054469E9059F3C0E734D901C7A1
              Function 01566ACC Relevance: .2, Instructions: 226COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a23a496a921a4a5f9fc5e7f112f1dca661f9150d3f398620c8d05ed2e8f9bcaa
              • Instruction ID: e69d1816961566149c8d79769c54cf15aeddaf5fd9f1ef154d72b50eb6dc5268
              • Opcode Fuzzy Hash: a23a496a921a4a5f9fc5e7f112f1dca661f9150d3f398620c8d05ed2e8f9bcaa
              • Instruction Fuzzy Hash: E2819471A006169FDB24CF69C950ABEBBF9FB48700F14852EE545EB650E334D940CB94
              Function 015DAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: 1551d8b6691d03baced175f81cdc498ed48618636b8897bc2ab51b4352c288d8
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: 5E817031A002069FDF29DF9CC480AAEBBF6BF84310F188569E9169F395D774E941CB50
              Function 0154E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 056d68affe337e7348aaec9cde47b6965e9b12e34ac10f1bcc7bd2ea080e6dca
              • Instruction ID: f17ad87c6a937fc06c973c8c13027aeea7e42e0f7928d67734028594fe563dbb
              • Opcode Fuzzy Hash: 056d68affe337e7348aaec9cde47b6965e9b12e34ac10f1bcc7bd2ea080e6dca
              • Instruction Fuzzy Hash: D0818471900609DFDB26DFA9C881BEEBBF9FF88318F104429E555AB250D730AC45CB60
              Function 0152C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf8574400a8a8ece7e6a8cb44cc3ee9f07b2583f1bab539214c6c3e995a36f09
              • Instruction ID: e9c5c40e802bf91ab1b998ca07118bb24dd662ea4861a8e0903327a555305317
              • Opcode Fuzzy Hash: bf8574400a8a8ece7e6a8cb44cc3ee9f07b2583f1bab539214c6c3e995a36f09
              • Instruction Fuzzy Hash: 4871AC76D006259FCB268F59D8907BEBBF5FF49710F18451AE942AF391E330A810CBA0
              Function 015C47A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fb1f80db12856fd11b8767e82f5f42233379b8f5ea68f003891a138114d7373
              • Instruction ID: 12bd775742e8434b527db5b1209761abf260b3f336478d843dff9ba2027e61c1
              • Opcode Fuzzy Hash: 5fb1f80db12856fd11b8767e82f5f42233379b8f5ea68f003891a138114d7373
              • Instruction Fuzzy Hash: 35718B71900206EFDB21CF99CD60E9FBBF9FB90B10B00915EE601AB298C7B18950CB64
              Function 0152260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6eeaa5d202e0e5e45ef8fccd965f003cb9164dcaadabb098b61d0a8beecf6a3
              • Instruction ID: c80014b2ecefd3b7584b01e428416c42176e2a580f94e9915cc4f872bd77982b
              • Opcode Fuzzy Hash: a6eeaa5d202e0e5e45ef8fccd965f003cb9164dcaadabb098b61d0a8beecf6a3
              • Instruction Fuzzy Hash: AD71D4366046528FD322DF6CC480B6AB7E5FF85310F0885AAE859CF392DB34E845CB91
              Function 0159035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 9100a7e82e6d87a96e38873e29d1af71bf7a19c1ee0b2f026fd78fdce29c0b5f
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 96713E71A0061AEFDF10DFA9C984ADEBBB9FF88710F144569E505EB290DB34EA41CB50
              Function 015A62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 860c5acb805b55189a9f2cc9b37d2cc0e946053449f7c84277da14185119308f
              • Instruction ID: 88ce87f3f6f7be05956c3086eeadd42b3eed99bdbfd402486184f00c4441da02
              • Opcode Fuzzy Hash: 860c5acb805b55189a9f2cc9b37d2cc0e946053449f7c84277da14185119308f
              • Instruction Fuzzy Hash: 7871D232280702EFE7229F18C894F5EBBE6FF84720F584819E6569F2A0D775E945CB50
              Function 015E8324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2edf83cf7197258888ea7923d4d5125f02657b31da69c0c90458360fed006aba
              • Instruction ID: 8d067ec68f416d01747f39d598d32a4f9f8b1fec7b17047aaf653d854f2e6869
              • Opcode Fuzzy Hash: 2edf83cf7197258888ea7923d4d5125f02657b31da69c0c90458360fed006aba
              • Instruction Fuzzy Hash: A5710C71E0021ABFDB16DF94CC45FEEBBB8FB48350F10455AE910AA290D774AA05CB90
              Function 015CA250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b81e12895dc8e8af0d69606b4f3ed6a3c0e6cbf7e8c92bdfddebf7d3ea7f9675
              • Instruction ID: 99f4410ee654af4fd6280196aa6fe4350689377e01ec9841f22fcee822317a94
              • Opcode Fuzzy Hash: b81e12895dc8e8af0d69606b4f3ed6a3c0e6cbf7e8c92bdfddebf7d3ea7f9675
              • Instruction Fuzzy Hash: 5A51BE72504616AFD722DEA8C894A5BFBE9FBC5B50F01492DBA40DF150F670ED04C7A2
              Function 015B8350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 668e47f64ef77ba294fe125bcae214dd79682cb281fd0902a0d60a1c77eb298c
              • Instruction ID: 7d5aa91448a636ca348406f8d4b334f15619387cc41623789a1e5dc870e8a15e
              • Opcode Fuzzy Hash: 668e47f64ef77ba294fe125bcae214dd79682cb281fd0902a0d60a1c77eb298c
              • Instruction Fuzzy Hash: C151AD70900706DFD721CF6AC8C0AABFBF8BF94714F105A1ED2929B6A0C7B0A945CB50
              Function 0154E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4740c0502a415ad3feb5062613fe0244f16aac3091e542ce81e6d298a08ac0f
              • Instruction ID: 5250ecfcc6d328c8b56f24c20bb7985e2ea1d50e59aef95160eba274ca6ebcab
              • Opcode Fuzzy Hash: d4740c0502a415ad3feb5062613fe0244f16aac3091e542ce81e6d298a08ac0f
              • Instruction Fuzzy Hash: 5E517371200616DFD722EF69C980EAAB7FDFF98754F40046AE5429B660D738ED41CB50
              Function 015B4180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2283fc70e420b2fc1ab2c305e888c538dd727d5a5e4bb5a5a36b2caa95a77774
              • Instruction ID: 5e26ce9b86149fa1c641788c33d1b51ae9aad1cafe0fc7451f7543b32071279b
              • Opcode Fuzzy Hash: 2283fc70e420b2fc1ab2c305e888c538dd727d5a5e4bb5a5a36b2caa95a77774
              • Instruction Fuzzy Hash: CA516B716093429FD764DF29C880AAFBBE5BFC8204F48492DF586CB251EB30D945CB52
              Function 015345B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 8d2b13077a00cdbcd97a49926eb8806d16dd447184e8c599f33ef6d3131371a1
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: AE516D71E0021AABDF16DF98C441BEEBBB5BF89754F044069EA01AF340E774D945CBA0
              Function 0159E9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: f0c6c390fa6b624e73321dbeba0d6ebcb430d3821b6554c57ecb87aa219b6747
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: 4B51C931D0020AEFEF11DB94C896BAEBBB6FF40324F154665D9126F290D7749D4187A2
              Function 015D8B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fcab73359b029ea6a354e9ecb5132f48c142c6173e4ff4afa12ec6b10dfa32e2
              • Instruction ID: 0a169b94f186f4a2d58d072b4909374349777af69d46936414032601004337f1
              • Opcode Fuzzy Hash: fcab73359b029ea6a354e9ecb5132f48c142c6173e4ff4afa12ec6b10dfa32e2
              • Instruction Fuzzy Hash: 1E41CF717016129BEB39DB2DC894F7FBBAAFF90620F088619E9558F290DB34D801C791
              Function 0159CBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20cdd2c097df39d889de9250cd0f026e374c87f405e2bf93d9403edee16d5bf9
              • Instruction ID: 86a1c254d2629c1ac124d74237af76ec1b96ce3d8c6d55322eca9ad172618b71
              • Opcode Fuzzy Hash: 20cdd2c097df39d889de9250cd0f026e374c87f405e2bf93d9403edee16d5bf9
              • Instruction Fuzzy Hash: BB51DC7690022ADFCF21CFA8C98099FBBB9FF89354B104519D516AB304D730EE01CB91
              Function 0154A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23b7f1db17c9732fd6f0c07c509fe199d03850c42fad592fd937bf71056c48b0
              • Instruction ID: c4fdc105af1df3669d1a7bcf618707d4e1c379e894dbd3c366291eab2f65afee
              • Opcode Fuzzy Hash: 23b7f1db17c9732fd6f0c07c509fe199d03850c42fad592fd937bf71056c48b0
              • Instruction Fuzzy Hash: E141F9716402429BDF2AFF69ED81B6F3766BB9570CF01542DEE07AF242D77198108B90
              Function 015DA9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: 6305855ce66417bdc751a4fcc000ef3a769e04965e3158bb128090879e16452d
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: BF41D5726017169FD735CF6CC980A6BB7A9FF80210B05862EE9568F640EB70ED05C7D1
              Function 015401F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15ff44f85b254010f40ed3c9b8d8a103a87dc4ca7f743e38d13f9f7a8caf4674
              • Instruction ID: f2ac8ef6621a310c68d3c922484153de05a91b7a16d8b9815f488c943a937a1a
              • Opcode Fuzzy Hash: 15ff44f85b254010f40ed3c9b8d8a103a87dc4ca7f743e38d13f9f7a8caf4674
              • Instruction Fuzzy Hash: 8E41AF369012169BDB14DF98C440AEEBBB4BF89718F24815AFA15FF280D7359D41CBA4
              Function 0153EBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f48fad5196434b587dcf4dc2318fe518bd2ce0b1d54fdefc573ef8dc84492203
              • Instruction ID: ada2040dbc22483611134c5e30506365f13c9dc9233b25a1f9488e0550dd6885
              • Opcode Fuzzy Hash: f48fad5196434b587dcf4dc2318fe518bd2ce0b1d54fdefc573ef8dc84492203
              • Instruction Fuzzy Hash: FB41D1722003069FDB21DF28C885A6BB7E9FFC8214F004C2EE966CB351EB30E8448B51
              Function 01552750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: e7709feb1db232d402555579ef3a87ec10f94e6ddcce768d4b44d0091ee5d7e7
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 08516A75A00215CFDB15DF9CC480AAEF7B2FF84710F2481AAD915AB355D770AE42CB90
              Function 01516154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd0d5a878447d2d4299f0779837fc2a41b32535e54aaa72f6eb65088108eb9da
              • Instruction ID: 2212f44615b09f0782303eb468f7a846e82beccd2d422d6e8336abfbee28a922
              • Opcode Fuzzy Hash: dd0d5a878447d2d4299f0779837fc2a41b32535e54aaa72f6eb65088108eb9da
              • Instruction Fuzzy Hash: 3A51E5709002179BEB268B68CC00BEDBBF5FF56314F1482A9E529AF2C5D7749981CF80
              Function 01510BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 894dac5d544246fbcd1b3ee6a9385aa315fb4f16c0d7221fedef7d9cb2ec7b80
              • Instruction ID: 815e957c13ab5889e5397d7cdf548684246208db11a70220464614bb09fdd849
              • Opcode Fuzzy Hash: 894dac5d544246fbcd1b3ee6a9385aa315fb4f16c0d7221fedef7d9cb2ec7b80
              • Instruction Fuzzy Hash: 95419475A002299BDB21DF68C941BEEB7B8FF95740F0100A9E908AF281D7749E81CF91
              Function 015D866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 52a8e74bc1863bdaad7e8fbc574e48e4443e0316743314d99d06050ee85a9749
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 6C418375B00206ABEB25DF9DCC85AAFBBBABFD8750F254069E904AB341D670DD01C760
              Function 01510887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a41ce5dcc90779eee04b321bb94704c0a4e0e483a51036999e35fb6712997f63
              • Instruction ID: 45af4aa884d8b78aca46c92e4063f693e67ae0eb87f342c0d43065a292f4e34e
              • Opcode Fuzzy Hash: a41ce5dcc90779eee04b321bb94704c0a4e0e483a51036999e35fb6712997f63
              • Instruction Fuzzy Hash: 8641A3716007069FF726CF28C890A26B7F9FF89314B148A6DE5468F695E730F895CB90
              Function 0153A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: faf3c7ed84b2d8c6be231238de317945f611777329ca184440d37cb6a59bbff9
              • Instruction ID: e1d89be48b122dec65580fe1a84fd4450dd773c0a98c49b14d358f080e251ac2
              • Opcode Fuzzy Hash: faf3c7ed84b2d8c6be231238de317945f611777329ca184440d37cb6a59bbff9
              • Instruction Fuzzy Hash: 8A41CA32A00205CFDF26DF6CE996BAE7BB0FBD8260F040599D551AF2C1DB349900CBA0
              Function 01518BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d83cc57b1c6bf318b961cadb740badccd75323b2b320cbdae33755241f8d613
              • Instruction ID: 6ed4c4ec02b561c6fe7351a594f69143cc2914f43b3d1fc52c94a2e17190157f
              • Opcode Fuzzy Hash: 6d83cc57b1c6bf318b961cadb740badccd75323b2b320cbdae33755241f8d613
              • Instruction Fuzzy Hash: 0041CE32A00202CBE7369F5CDC80A5ABBB5FBD4714F14812EEA01AF659DB75D842CB90
              Function 01508918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ad45cd8a3ee9df1092f9463d6c3aeb93dc908e8b4d8550155f041726f692969
              • Instruction ID: 929d5d076835cd47ea2c3c9fa747b2470b1fae8a90ba31c02a7aa1469e94a56a
              • Opcode Fuzzy Hash: 9ad45cd8a3ee9df1092f9463d6c3aeb93dc908e8b4d8550155f041726f692969
              • Instruction Fuzzy Hash: E84141319187069ED312DF65C840A6BB7E9FF88B54F40092AF984DB290E734DE458BE3
              Function 0150A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 66f74b9da55e1ccd5e9eceffdd5ec00c644095a44f93a74ba23e41e4407857f9
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: E041F631B0031ADBEB12DFA984507BEFBB5BB90754F15806AA955DF291D6328D40CBD0
              Function 015109AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4629dfb08cf84ef4970f173486004e8385ec47d1fa5e9600e605959012a683da
              • Instruction ID: ce325bf154d3d78d1b241cfe1eac7d04b58a5c1e2c110feaa9728cb0f92670e6
              • Opcode Fuzzy Hash: 4629dfb08cf84ef4970f173486004e8385ec47d1fa5e9600e605959012a683da
              • Instruction Fuzzy Hash: 56416D72641601DFE722DF18C840B2ABBF5FF95314F24896AE449CF295E771E981CB90
              Function 01540710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 4a850427f91ea276c6138f7c90be885ae23eea6ad5f794aa4c6eacf42b6ed725
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: C3415F71A00705EFDB24CF98C980AAABBF4FF18704B20496DE656DB691E330EA44CF51
              Function 0151262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f0cc5a774d1a51e3068ab1a316f0546177530041563ebb9b4bb3e598f0fe7e4
              • Instruction ID: 20fadb4769dcdae0a5c44dc21246fa103ae760520606ccfd0f0954b0d4b172cd
              • Opcode Fuzzy Hash: 2f0cc5a774d1a51e3068ab1a316f0546177530041563ebb9b4bb3e598f0fe7e4
              • Instruction Fuzzy Hash: A741D171901702CFEB27EF28D94065AB7F5FF98310F208AAAC4169F6E5DB30A941CB51
              Function 0154C8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a327b1772ad11639c7bebe0291da5caacfe10698d21143766de30d8433d7c4cd
              • Instruction ID: 642eb7023719cc684e83a894024db422cf4cb90ad5d6ec8d5079b606ad802017
              • Opcode Fuzzy Hash: a327b1772ad11639c7bebe0291da5caacfe10698d21143766de30d8433d7c4cd
              • Instruction Fuzzy Hash: B43179B2A01246EFDB12DF68C440799BBF0FB89718F2085AED119EF251D7729902CB90
              Function 015907C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c474dbcbc0544e976cd5439c4d90561aaaa935b19a29527237d588e42fb4fa2
              • Instruction ID: cb253048b8f0a7162209e056d4b3ca8c655e8b47d8ccb631f5a020097ea4d336
              • Opcode Fuzzy Hash: 4c474dbcbc0544e976cd5439c4d90561aaaa935b19a29527237d588e42fb4fa2
              • Instruction Fuzzy Hash: 9F419FB16043019FD761DF29C845B9BBBE8FF88754F104A2EF998CB291D7709914CB92
              Function 015080A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3cb17ec8da730b3335eaace782ce6f7d939f524cd91510f5cfab9e54b3c5b06
              • Instruction ID: 7b6d618318b6b48e61dbb2a4610cdf71f0af7d51e257bb7ef6143e75cf49e3f4
              • Opcode Fuzzy Hash: a3cb17ec8da730b3335eaace782ce6f7d939f524cd91510f5cfab9e54b3c5b06
              • Instruction Fuzzy Hash: 2141C171E05616EFDB12DF98C980AACBBB5BF94760F248629D815AF2C0D734ED418BD0
              Function 015905A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f9702871d8f4ac553670c98cfd514ed9f495da3f5748c1f440cedd17b17b116
              • Instruction ID: 015b968af6efe97af98b096947691c07f5fe77535b7faee5fa479783e73f36a4
              • Opcode Fuzzy Hash: 2f9702871d8f4ac553670c98cfd514ed9f495da3f5748c1f440cedd17b17b116
              • Instruction Fuzzy Hash: E741CE726046529FC720DF6CC850A6EB7E9BFC8700F144A29F9949B6D0E734E905C7A6
              Function 01514859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d84686015ba29873f3ae3da029e867ad77a84d8f70228474dc539b6e89416cac
              • Instruction ID: 9be1a588abffc067f754a238c3a777fd385a59c5e0dc233cc600b5eca34e1421
              • Opcode Fuzzy Hash: d84686015ba29873f3ae3da029e867ad77a84d8f70228474dc539b6e89416cac
              • Instruction Fuzzy Hash: 1141D3312003028BE726DF2CD884B2ABBEAFFC5760F14542DEA458F299DB70D811CB91
              Function 01508B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1fa6b275e055c6b29ddbfe059ab88ab0b5d9c66881448efdf7875c2b7687943a
              • Instruction ID: acd8d90b3fde607c39fd9655475271cdb56f7b79ef175dfca6d53bc78b07cf2e
              • Opcode Fuzzy Hash: 1fa6b275e055c6b29ddbfe059ab88ab0b5d9c66881448efdf7875c2b7687943a
              • Instruction Fuzzy Hash: 0F417F71E01606CFCB16DFA9C98099DBBF1FF98324B14862AD466AF290DB34A941CB40
              Function 0041AA8F Relevance: .1, Instructions: 107COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1818968282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_400000_vTHGfiwMDeoOH5a.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3111a3d1f94926a063134be75d68ee6ecb0113c2681ba185f40ba243948901a
              • Instruction ID: cbc3848a2f032deba2f8a5d37d2725668610867b6b4bc20eef8b980bd64e3eeb
              • Opcode Fuzzy Hash: c3111a3d1f94926a063134be75d68ee6ecb0113c2681ba185f40ba243948901a
              • Instruction Fuzzy Hash: F831BD72A08265DBC313DF79DE859CABBB0FE1135030882AED8148B642D725D04BCBE5
              Function 015202E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 3c5cad07700a588eda7b4cd771a11cf4266fd835a2395f5afe41ec518fc2f180
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 9F311332A05255AFDB128B68CC40BAFBBE9FF65350F0445A6F815DF3D2C2749884CBA0
              Function 015BE3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 106ad4c7bf668a490309006ee0f9607dc770bd1587d869edc9286d245f4809d4
              • Instruction ID: 6cbec2915440c5832550117a688fb25b8cfb7a14219d7ae8478e9e52e65e9c0b
              • Opcode Fuzzy Hash: 106ad4c7bf668a490309006ee0f9607dc770bd1587d869edc9286d245f4809d4
              • Instruction Fuzzy Hash: C131A435750716ABD7269F658C81FEB7AA9FF99B50F100028F600AF3D1DAA8DC00C7A0
              Function 015C4B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32e3663c392240e63dce18d710904cb6a013178ddbd01bf7955e55eb233cb0f8
              • Instruction ID: 91ff7f3963e44e7b1f2965f57d838c4c8df02b410c29cd2ecd708b2a3c84b684
              • Opcode Fuzzy Hash: 32e3663c392240e63dce18d710904cb6a013178ddbd01bf7955e55eb233cb0f8
              • Instruction Fuzzy Hash: 8A31E1326052128FC721DF59DC90E2AB7E5FF85724F09446DE9958F261D730E820CB80
              Function 01514260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a51494f877f74f71489d5773b0246d007558da57fa3a3fb032b3bd987ba3b600
              • Instruction ID: 616c1a66c415707f2a6c09bcebd44bf408ec7a04552ecfcfe2a7d24dad7564e4
              • Opcode Fuzzy Hash: a51494f877f74f71489d5773b0246d007558da57fa3a3fb032b3bd987ba3b600
              • Instruction Fuzzy Hash: EF41B172200746DFD722DF28C885FDA7BE5BF49754F108829E6998F2A0D774E840CB60
              Function 015C4BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e10c8527ed6c13a555476afab10e0cfb7afb412abbb7091072f0c63336497f0
              • Instruction ID: 110706d40ceaa3754fddb7e94d8f23194adb07e54acb6b27ec5c175170e6b09e
              • Opcode Fuzzy Hash: 3e10c8527ed6c13a555476afab10e0cfb7afb412abbb7091072f0c63336497f0
              • Instruction Fuzzy Hash: 51318B726042028FD724DF68CCA1E6AB7E5FB84B20F05496DF9559F2A5E730EC14CB91
              Function 0158EB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ee3e511e8ba45a74d56b20907bbbcf537b02c3c2dd09de1e5b632955107732a
              • Instruction ID: 517e1503feecc82e4e404a330b94c35082c5f6cf4df3bff79ca13c8fd86679ea
              • Opcode Fuzzy Hash: 7ee3e511e8ba45a74d56b20907bbbcf537b02c3c2dd09de1e5b632955107732a
              • Instruction Fuzzy Hash: 6C31E4326016D39BF326775DCD49B297BE8FB85784F1D04A0AB45AF6D2DB28D841C221
              Function 015D61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ffd622a019ed9d08f9d3708325069e0021b10b6a7973bde48eb14584c5e501d
              • Instruction ID: af6e2e2dedf029585c87683bbb22faff0480b7a3db5abb3069c15e7e14263a42
              • Opcode Fuzzy Hash: 9ffd622a019ed9d08f9d3708325069e0021b10b6a7973bde48eb14584c5e501d
              • Instruction Fuzzy Hash: 5C31C476A00116EBDB25DF9CCC40BAEB7B5FB48740F554169E900AF244D770ED41CBA4
              Function 015B483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5eff12347b6e54e00ac10aacfe447f27021986f255820c4d96dc8ffd7928e37
              • Instruction ID: f670ecb32a92e9524ce6779e6ea469b6406d866dfb44acab3385d0a79532a993
              • Opcode Fuzzy Hash: e5eff12347b6e54e00ac10aacfe447f27021986f255820c4d96dc8ffd7928e37
              • Instruction Fuzzy Hash: AA315276A4012DABCF31DF54DC84BDEBBB9BB98310F1001A5E909AB251DB309E918F90
              Function 0153EB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0119548947b7e64126ce9544ea3cb475c684f1850954d4ca0ff7c61a18346568
              • Instruction ID: 964235cbf0e55e99629d7208be1d95c733d5348d749bb787ccaeda208b5dcf0b
              • Opcode Fuzzy Hash: 0119548947b7e64126ce9544ea3cb475c684f1850954d4ca0ff7c61a18346568
              • Instruction Fuzzy Hash: 2E31B772E00215AFDB22DFA9CC51AAFBBF8FF88750F014466E515EB250D3709E008BA0
              Function 015D60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a56d1468040d0139be7fc28367a7aeba38c965109157ad1a67ec98e8b7b6f38
              • Instruction ID: 98844e4328b4c74b5bff9380ecda271ac607c437df8d2bf0c3c837f43c087ecf
              • Opcode Fuzzy Hash: 6a56d1468040d0139be7fc28367a7aeba38c965109157ad1a67ec98e8b7b6f38
              • Instruction Fuzzy Hash: C931AF76A00616AFDB269FADCC50B6FB7B9BF85754F004069E506EF381DA70DC028B90
              Function 015107AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77de99ba5d5ba33547cbb5d33ea1608e0723bdf413773356621b5aa0db2cdfef
              • Instruction ID: f00ff98dd2d706f255b2aab9a1bf4e742cd9e07cd1464b42bf46ae1b5729ad74
              • Opcode Fuzzy Hash: 77de99ba5d5ba33547cbb5d33ea1608e0723bdf413773356621b5aa0db2cdfef
              • Instruction Fuzzy Hash: AC31D832A08612EBE713EE68C850A6B7BE5FFD4250F014529FD55AF294DB30DC5187E1
              Function 01518550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e21d76e83f249629f40fee50087abcfee6c6babb61b3431a06d4f9649880f516
              • Instruction ID: 40cf4b1f66bb136f53c15e189dfba7881ecaf7226b1bf1136356c1d912fc180f
              • Opcode Fuzzy Hash: e21d76e83f249629f40fee50087abcfee6c6babb61b3431a06d4f9649880f516
              • Instruction Fuzzy Hash: 6E31ADB16093029FE322CF19C841B2ABBE5FB98700F15496DF9849B395D770E844CBA1
              Function 0154A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 94bee277927b28fd3d8499db4f3901f218e5976435e4938f8123289036cbe69a
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 25312DB2B00701AFD7B5CF69CD40B5BBBF8BB48654F04492DA59BD7651E630E900CB60
              Function 015BEBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9859ad7a553b4704b3650a7323b42b4fe0b2121821c0585fcfe489d51cf7c89
              • Instruction ID: 0a47650cc384de614b1cea7a1262dd396e78b72722b38bbf5141a1016dcdd098
              • Opcode Fuzzy Hash: f9859ad7a553b4704b3650a7323b42b4fe0b2121821c0585fcfe489d51cf7c89
              • Instruction Fuzzy Hash: A0318F72505342CFC716DF19C98199ABBF1FF8A614F0849AEE488AF391E331D945CB92
              Function 0153438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a829bc0f93d778c823b87db66fdeaac55485e8b90310ecef3bcbccd6e4e7ed8b
              • Instruction ID: 036f378e3f8bde943923a51960da6fe145f11d94f4e4a472e91322d86b116b23
              • Opcode Fuzzy Hash: a829bc0f93d778c823b87db66fdeaac55485e8b90310ecef3bcbccd6e4e7ed8b
              • Instruction Fuzzy Hash: 3131C232B002069FD721DFA8C985A6EBBF9BFC4704F008539D656DB294D730DA41CBA0
              Function 0150CB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: f02129d35439e2d7303f700fd980008b8cbdc1f53deff4b050a54325ca84ba25
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: 7521F232E4025BAADB119BF9C801BAFBBB9BF56740F1585759E15FF280E670C90087E0
              Function 0150C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7993bb3b79955d140346b77a63d7d4221da53f8579b315db995878c5f1f28a83
              • Instruction ID: 0612fea84cf59ebcf3a83bf9aeafaefff5a55b1ee28b9406ea4e4ab056d34c79
              • Opcode Fuzzy Hash: 7993bb3b79955d140346b77a63d7d4221da53f8579b315db995878c5f1f28a83
              • Instruction Fuzzy Hash: 0B315B726002128BD731AF58CC40B6D77B8BF91314F4485A9DD859F386DA78D982CBD0
              Function 015CC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 398c4e259f4fe38fba0c726773bd7896f441b9f45b0860df65550ed5f64558fb
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 23210B76600A536ACB15AFD58850ABAFBB4FFC0A11F40C01EFA998F991E675D940C360
              Function 0150E420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ce0052bde95833040460f8da9f5eeeea151ad0e182a0515972ffbb53a521910
              • Instruction ID: ffc710ef4ce8935d24d7082a62fba7d0f98f85cd095165fbcd73df2210e559ee
              • Opcode Fuzzy Hash: 4ce0052bde95833040460f8da9f5eeeea151ad0e182a0515972ffbb53a521910
              • Instruction Fuzzy Hash: DF31C432A005299BDB369F58CC42FEE77B9FB55750F1108A1E645AF2D0E6749E808FA0
              Function 01544588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 896db8c269bb2400e35fddc9f5a8e0307312f1ad4cbe49e2668221313c85955c
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 5A219136A40649EFCB15CF58D980A8EBBB9FF48318F108065EE159F241D670EA058B90
              Function 015444B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 677e913ce0efbc1da85dcaf3de615693c64fa9089debf1c7c954697c84e25b66
              • Instruction ID: b23855b3041596a7245ddbe020def3172a6dc478efab2c9bf8e48c93580169ec
              • Opcode Fuzzy Hash: 677e913ce0efbc1da85dcaf3de615693c64fa9089debf1c7c954697c84e25b66
              • Instruction Fuzzy Hash: A3218F726447569BCB22DF18C880BAB77E4FB88764F014919FD58AF685D730E9018BE2
              Function 0150E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: b15b0920b6421ea5efa3bfa0ca72f5304109a7c5b9316a01223d1c14bafba23f
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: B6316831600605AFD722CFA8C885F6AB7F9FF85354F2549A9E5528B291E770EA01CB50
              Function 0158E609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec28a692f1275633905413cfdbba082d0c53efadd81e1048e7644689c341842
              • Instruction ID: 56e9dddf7338104b2d3dcbc2192210f3e9d48a31f66b658f24454a887ecc492d
              • Opcode Fuzzy Hash: cec28a692f1275633905413cfdbba082d0c53efadd81e1048e7644689c341842
              • Instruction Fuzzy Hash: 8B31C075600206DFCB19DF1DD8859AEB7F5FF84308B154459E809AF391E771EA50CB90
              Function 015906F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e1a8894649fe921c2bbc18fffec9e1e44441e0a170ccd0a15cf4a6d8cbc6e5a
              • Instruction ID: 1f6e97a288147e20f6d8713cd1faa369ea6a482fcda056f5c49705238074246f
              • Opcode Fuzzy Hash: 0e1a8894649fe921c2bbc18fffec9e1e44441e0a170ccd0a15cf4a6d8cbc6e5a
              • Instruction Fuzzy Hash: D421B47290012ADBCF15DF59C881ABEB7F8FF48750F50005AF941AB280D738AD41CBA1
              Function 0159019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acd8cbc1a9c56b1df41713aa1cf5495180f98dcbc6bd7258ccc78bf9cbfbcfad
              • Instruction ID: 396e3e5d1727a3e07a6bb6edcbdd5a145ba5af7a19a309d14e81886bbb177c1f
              • Opcode Fuzzy Hash: acd8cbc1a9c56b1df41713aa1cf5495180f98dcbc6bd7258ccc78bf9cbfbcfad
              • Instruction Fuzzy Hash: A221BF72600615AFDB15DB6CC840F6AB7B8FF88740F1400A9F904DB691D738ED00CB54
              Function 01590283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 272e57e46370b23e1a46ca4877223d7837225e9136d7b79296715111cd42f4e3
              • Instruction ID: c3ac7c237057a204a29f6db209e94144d4eae494ea1a384f0d4ae6f3356944ad
              • Opcode Fuzzy Hash: 272e57e46370b23e1a46ca4877223d7837225e9136d7b79296715111cd42f4e3
              • Instruction Fuzzy Hash: 7021B0729047469BDB11EF59C844B6FBBECBFD5250F080856BE84CF2A1D734D944C6A2
              Function 01532835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 935e492ec3b304946d25aec077b32e5503f1eb33842352d83c216d9cbdc48d2e
              • Instruction ID: e27b4727d61ea223e244fcecf6034bc042e519fe67e2c29e80b3accb6e7592c7
              • Opcode Fuzzy Hash: 935e492ec3b304946d25aec077b32e5503f1eb33842352d83c216d9cbdc48d2e
              • Instruction Fuzzy Hash: F521F632645B929BF722576C9C44B2C7BD4BF85774F280764FA20AF6E2DB68C8418241
              Function 0154A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0bd055cac6c3da5878c24522cdde283aa95fa84dccf7040c429ac92f933daf88
              • Instruction ID: 38733e916fbcf1e107884162d9eada6b6d1dc13030337d2c8443e93034978e87
              • Opcode Fuzzy Hash: 0bd055cac6c3da5878c24522cdde283aa95fa84dccf7040c429ac92f933daf88
              • Instruction Fuzzy Hash: 65219A352406119FC725DF29CC00B5677F5BF48708F248468E50ADF762E331E842CBA4
              Function 015CA49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e7db850019e8c6a3b64de2285644443ad55e14d6131679d1e5dbaa3c78381e9
              • Instruction ID: cb5b6079a8a62ce141c301dbbae2f568de4da90dce5c6f9bfff494b16d4610d1
              • Opcode Fuzzy Hash: 6e7db850019e8c6a3b64de2285644443ad55e14d6131679d1e5dbaa3c78381e9
              • Instruction Fuzzy Hash: ED11E772241A16BFEB225A95AC41F67BAD9BBE4F60F11442CB718CF1D0FB60DC018795
              Function 01590946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 757a703f206c64ceb7bd4a540d2bf6041ed94b655f8e8266ec0ecb2bfd2b8550
              • Instruction ID: f34dab15103cc193340e227d1dcbb7e7551fba6ae03c507d20d02f687a7181e2
              • Opcode Fuzzy Hash: 757a703f206c64ceb7bd4a540d2bf6041ed94b655f8e8266ec0ecb2bfd2b8550
              • Instruction Fuzzy Hash: 1C21E6B1E00259AFDB25DFAAD9809AEFBF8FF98610F10012FE505AB350D7709941CB51
              Function 015A80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: dbeaa745306b5c5204ecef8c0f306e3022efbde0763251059b8a23f6f4945cde
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 8D218E72A4020AEFDF129F98CC40BAEBBB9FF88311F604855F951AB251D734ED518B50
              Function 01540124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 06931baaafad5c562a01762cad269f1e58779cd4cfc25104f3c55f011c876760
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: F3119072601606AFD7229B94CC41F9ABBB8FB80768F204429F7059F190D671ED44CB60
              Function 01518770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1f0bc9f40e570180afbd142f444ceb9e5e2cb9525189892ff326ccaecc71a14
              • Instruction ID: 5ec83ab85fcd651113e3dfd3093fced920961740e26c9288cb6cd582e37cff82
              • Opcode Fuzzy Hash: a1f0bc9f40e570180afbd142f444ceb9e5e2cb9525189892ff326ccaecc71a14
              • Instruction Fuzzy Hash: 7211C4357006119BEB27CF4DC4C0A1ABBE9BF8A750B19406DEE099F208D6B2D901C790
              Function 0154AAEE Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction ID: 79a20c9a98e0d333c51b2e0a913d7c2089af9aad79a3335511ca914cc8c0532e
              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction Fuzzy Hash: 13217772680641DFD7629F49C540A6AFBE6FB94B18F14887DE94A9BB10C730EC01CB80
              Function 015180E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8fc6fe404073deb335cf69eca89e7eac027e989e8105997549454f0b15a70f9
              • Instruction ID: a57faa4b286a9e65a25ea134d81e54f617197c738e57415d65d6ce37e1860969
              • Opcode Fuzzy Hash: a8fc6fe404073deb335cf69eca89e7eac027e989e8105997549454f0b15a70f9
              • Instruction Fuzzy Hash: 8B219D32A40206DFDB25CF98C580AAEBBF5FB89318F20416DD105AB314CB71AD06CBD0
              Function 0154674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e5c97d3babc3a46672f1668980314fa014bc60080618b115f9575293298f191
              • Instruction ID: 9933235aac7a5dc470394db5c4ac0dfed1991932dc0d6c2d3256d5a6fa83455b
              • Opcode Fuzzy Hash: 8e5c97d3babc3a46672f1668980314fa014bc60080618b115f9575293298f191
              • Instruction Fuzzy Hash: 45219A75610A01EFD721CF69C880F66B7F8FF85254F00882DE5AACB250EB30B850CBA0
              Function 015A6870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a41f6a689653519f33451700696bc1d6005cbf597b7aaaec3e5079702d2287bd
              • Instruction ID: 2bc7b14fe573aef134cc3e3ff7bfe07030be42ddeec120d566ab65f3a9e04e96
              • Opcode Fuzzy Hash: a41f6a689653519f33451700696bc1d6005cbf597b7aaaec3e5079702d2287bd
              • Instruction Fuzzy Hash: BD118F32280515EFC722DB69CD40F9E77E8BB99A60F554025F2159F261EB70E90187A0
              Function 0153E8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c6df6068fbf9da74168990703d491abf65b7f50afdb66eeb5ff60c99467b86b
              • Instruction ID: 1910a41ab3cc429af3896cc114f85f66bc11093471857aedda5b22f32292a454
              • Opcode Fuzzy Hash: 4c6df6068fbf9da74168990703d491abf65b7f50afdb66eeb5ff60c99467b86b
              • Instruction Fuzzy Hash: 8E110C733041159BCB1ADB29CC42A7F73EAFFD5374B254529E5229F290DA309C11C390
              Function 015466B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bdf95e969698614b48870e9b164843d3b0ef766965b8b61df18909a8c49a5410
              • Instruction ID: f4b0312762f28895190e83d70cb9b755ab9468d1e7d7a4fe1aa1bd08ea40f49d
              • Opcode Fuzzy Hash: bdf95e969698614b48870e9b164843d3b0ef766965b8b61df18909a8c49a5410
              • Instruction Fuzzy Hash: 0E11CE76A01216DFCB2ACF59C980A5ABBF8BF8A654F01807AD9059F311E634DD00CB90
              Function 015DA8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 5a78d7379a5ea8d5d9f30f4cc2612205e53d671cf93a20c10b79485646969458
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: 1B11C437A0091AAFDB29CB58C805B9EBBF5FFC4210F058269E8559B350E675AD51CB80
              Function 01510AD0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction ID: 6a5fc77769610d8295c580008027af43e4820d561c0914b228cc02c53fee27de
              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction Fuzzy Hash: DB21D6B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98ACBB50E371E854CB94
              Function 0159E7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: fefe2b2be68ae4590952ac46b23db25134d482029b1dea1f80187a944e2d8a99
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: 3011C232600601EFEF21DF88C842B5ABBE9FF86754F058468EA099F160DB31DC41DB91
              Function 015327ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 477314b6c3d24cd316917c3adc0d0d51481f157c9fbafc19841b5e9f54cb5325
              • Instruction ID: af3ca866a848a594dd1706771e71dfaead6ddefb1c3015b0e10c49097b252378
              • Opcode Fuzzy Hash: 477314b6c3d24cd316917c3adc0d0d51481f157c9fbafc19841b5e9f54cb5325
              • Instruction Fuzzy Hash: 9201C432645B86AFE316A26EE885F2BABDCFFC1794F090465F9018F291D964DC00C2A1
              Function 01514690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d04759661807c749c681c51e87ff799daba41a4a5b8394c240dcd96e1186acd
              • Instruction ID: 9fe5728010e5a22ecd889e5088a7f5aaa367b94b61a48dd3b6395d02c0f2e8fa
              • Opcode Fuzzy Hash: 3d04759661807c749c681c51e87ff799daba41a4a5b8394c240dcd96e1186acd
              • Instruction Fuzzy Hash: 69110E36240741AFEB26CF59C844F6A7BE8FB86B64F10551AF9048F254C370E842CF60
              Function 015E4B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7f6b7aff6f0997048d0d0575a8d95d0d860d0d649f302184a22a0b65dd6f875
              • Instruction ID: 1ba9905bc8e305e3f495dacdd5389f56c93df581be35b3bb17fe474d7ce94cb7
              • Opcode Fuzzy Hash: f7f6b7aff6f0997048d0d0575a8d95d0d860d0d649f302184a22a0b65dd6f875
              • Instruction Fuzzy Hash: 05112932A006119FDF26DA29DC48F1BB7EAFFC4710F154459E682CB690EA30E802C790
              Function 01546620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dccd7c6da63bdb6309bd48f0b354f5bc179f292253cc6263689f762b1a488ffc
              • Instruction ID: 925f0d0adc81800a214b8b27a24e41a2cce9f882459300bc27fda7325150e1cc
              • Opcode Fuzzy Hash: dccd7c6da63bdb6309bd48f0b354f5bc179f292253cc6263689f762b1a488ffc
              • Instruction Fuzzy Hash: E711A176A00716ABEB22DF59CD80B5EFBB8FF8A754F500459DA01BF240D774AD058BA0
              Function 0153EA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73a4061c7dc6de911cb84c01a5cee762fd2350a75021b0bbaaa31e2300683b7c
              • Instruction ID: 7780bb37081caf3d05cc2b66b1174faed5c0421d15f3b5c39137e7b86d844148
              • Opcode Fuzzy Hash: 73a4061c7dc6de911cb84c01a5cee762fd2350a75021b0bbaaa31e2300683b7c
              • Instruction Fuzzy Hash: D1016D7150010A9FD7269B19D849F16BBE9FBC5318F20816AE1069B2A4D6B0AC42CF94
              Function 0153E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: bf889ad66efe641561805ccca2cdf0f8f65d3b73cccab1e808e242a10077a234
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: 5011A1726016D29BE723D72CE955B2D7BD4FB81798F1904A2DE418F6D3F728C842C251
              Function 0159E75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: 55fd50f89b416b3d711d243487b685dd63a4fd45279cf9851a7d10440679c38f
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: 59018032600146AFEB22DB58C802B5E7BA9FF85750F058424EA05AF260E771DD40C792
              Function 0150A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: b42941074b3fafb8508398efd999045112bef60a294d3d35a28adabbc9148656
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: E00104324047279BDB228F599840A767BF4FB55760700893DFC958F6C1D331D400CB60
              Function 015E4940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 261d9b87505a03c551c70c06e874421fb63da12e47bd96ac65c7135127014e2a
              • Instruction ID: c225fd0feddb9d572086122312189e3e415db3ad10501824b57deb7b3552a132
              • Opcode Fuzzy Hash: 261d9b87505a03c551c70c06e874421fb63da12e47bd96ac65c7135127014e2a
              • Instruction Fuzzy Hash: A40100339412129BC3269F1CCC08E16B7E8FB86370B254265E9A8EF1A6D730E801CBD0
              Function 0158E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3c83b8b58102fbd6e7a04b56f877572218a414ec8bfc3e5274df1e95bfa0a48
              • Instruction ID: b23f6969dc69b003e95028d201667897ea1807b7fef089af3543ea68d4b4a2a8
              • Opcode Fuzzy Hash: c3c83b8b58102fbd6e7a04b56f877572218a414ec8bfc3e5274df1e95bfa0a48
              • Instruction Fuzzy Hash: 49118B32241242EFDB16AF19CD91F16BBB8FF98B54F200465E9069F6A1C335ED01CB90
              Function 01516259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 82be7db4e5ad28443d03feee8ef342262ae3e0d733d0f0fe120dc8d535a1c4f6
              • Instruction ID: 4c65dcad65e04ff9b65342481f75f24ba080ce61c3f2690b531ec6347320f539
              • Opcode Fuzzy Hash: 82be7db4e5ad28443d03feee8ef342262ae3e0d733d0f0fe120dc8d535a1c4f6
              • Instruction Fuzzy Hash: 04117371541229ABEB65DF64CC51FDD73B4BF44710F5041D5A714AA0E0DB709E81CF84
              Function 01596050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5eba61d8fd10c90a8c1438d9178b885c4542d5fb2ec87d18a6b9712f5e6d7b3
              • Instruction ID: 9bda96c1b2aea4ebc71b992a724b86c61864d847589cfe1f8ba668da5de51189
              • Opcode Fuzzy Hash: d5eba61d8fd10c90a8c1438d9178b885c4542d5fb2ec87d18a6b9712f5e6d7b3
              • Instruction Fuzzy Hash: 7D111B73900019ABCF11DB94CC84DDF77BCFF48254F044166E906A7211EA34AA15CBA1
              Function 0151208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 928a3278ef7e55905654ea4bdee2c0a08295d163785529392057e8c68c25d3e8
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: F90128326011118BFF168A1DD880B5A77ABBFC4700F6546A5ED058F24EDA71CC81C390
              Function 015A6500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 325b23f54585ab8fad42e8451a57b0f78620d50515aa17dd4a8232892df88690
              • Instruction ID: 68a5f1375b3b7f0bbccfffd05ecb546c44a8a7a8ecb28214c939f08bb88cdb0e
              • Opcode Fuzzy Hash: 325b23f54585ab8fad42e8451a57b0f78620d50515aa17dd4a8232892df88690
              • Instruction Fuzzy Hash: 5B11E5326401469FC301CF58C840BAABBF5FB5A304F8C8159E9848F315D731EC40CBA0
              Function 0159C810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4ab7274351fc628ce9856ad2f5ddbb08aab916f126785996d02415cd155b86b
              • Instruction ID: d355eb97e7e2438a18c2b49156fc28f1fd5ec387c9960376c324b86a22297aea
              • Opcode Fuzzy Hash: d4ab7274351fc628ce9856ad2f5ddbb08aab916f126785996d02415cd155b86b
              • Instruction Fuzzy Hash: B411ECB1A0021A9BCB04DF99D545A9EBBF8FF58350F14406AE905EB351D674EA018BA4
              Function 015BEA60 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19878fc97603aaf460745186069e948fa5c54ba9247f67a8826cceba1c5e6239
              • Instruction ID: 316a66a2fa162905b4e9db1cbf06fa48dda1ad83add3f186509d40151733665c
              • Opcode Fuzzy Hash: 19878fc97603aaf460745186069e948fa5c54ba9247f67a8826cceba1c5e6239
              • Instruction Fuzzy Hash: 6301B5361401229FC732AE15C8859FBBBADFF92650B08842AE1455F291C760DC41CB91
              Function 0150C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 2bab3d277ae19a67b7aa88a64570da0d655c4743777c894cf8efbcad9ab3e9c6
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: BC01F532200706DFEB23D6A9C800AAB77FDFFD6210F044959AA968F980DA70E401CB90
              Function 015520F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 87f637cdb9958b2398bc8bdd3dea73f521383cae7b1d5a561438fc5c0cb18cac
              • Instruction ID: b4772c35d266e8750a3b8c2c8aae698a71732643da91b446a76980ea4f038922
              • Opcode Fuzzy Hash: 87f637cdb9958b2398bc8bdd3dea73f521383cae7b1d5a561438fc5c0cb18cac
              • Instruction Fuzzy Hash: 9F116D35A0020EEBCF55EF64C850AAF7BB5FB84240F00405AED019B290EB35AE11CB90
              Function 0154E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f013e519c130be45fca89e45d9b594d669fbcd4ae7d891ff8081102c03b07c9
              • Instruction ID: 1194f4a946f7587a2596a30a0ea6e32cdbad47444585a8a9e1f58bc1525dc21c
              • Opcode Fuzzy Hash: 4f013e519c130be45fca89e45d9b594d669fbcd4ae7d891ff8081102c03b07c9
              • Instruction Fuzzy Hash: 0F0184722015167BD211BB69CD40E57B7ACFFDA664B000625F1059B591DB24EC11C6E0
              Function 015A69C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d00ea6d7f3d9aa045ae88eb05de9df2993e07b625b4047e6dbbb221ea3cdba88
              • Instruction ID: 17781ed1570c8e48de3bbb123e909b573e0592e85880f394250b0431be485802
              • Opcode Fuzzy Hash: d00ea6d7f3d9aa045ae88eb05de9df2993e07b625b4047e6dbbb221ea3cdba88
              • Instruction Fuzzy Hash: 89014C32254202DBC324DF79C85896FBBE8FF88660F944529E9588F1D0E7309941C7D1
              Function 0159C460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a4129b0e7c510737fe807c4b9591e4563b423956318340d999c25910fde564d
              • Instruction ID: 6f12dad678323d34de399bccdf22bc7d8de49d7d0ac570d84e70f35945e24cc3
              • Opcode Fuzzy Hash: 8a4129b0e7c510737fe807c4b9591e4563b423956318340d999c25910fde564d
              • Instruction Fuzzy Hash: 17116D75A0020EEBDF15EF68C850EAE7BB9FB88340F004059FD059B380DA35E951CB91
              Function 0159C97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83a8752587d9f24c4f32b2eb235a90ca1329c29b6dfbdd97228475245d344586
              • Instruction ID: ce09ae38d7981a74eb67b7a3d3c8d0f7f4b203b56644a9e23c260c5b9674be44
              • Opcode Fuzzy Hash: 83a8752587d9f24c4f32b2eb235a90ca1329c29b6dfbdd97228475245d344586
              • Instruction Fuzzy Hash: 151139B16183099FC754DF69D841A5BBBE4FF99750F00891AF998DB391E630E900CBA2
              Function 0159CA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15e275afc36cb4b5623ad4f91d16474699030aaaa7154157012d6ce937c95189
              • Instruction ID: 07af921c45a01204769ce92144fc7e6ae36c397fb0f53b1b2136064afbe24c1e
              • Opcode Fuzzy Hash: 15e275afc36cb4b5623ad4f91d16474699030aaaa7154157012d6ce937c95189
              • Instruction Fuzzy Hash: EE1179B1A083099FC710DF69C84194BBBE4FF99350F00891AF958DB3A0E674E900CB92
              Function 0152E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 7549ad0765ee766822844f9ea3b95836cb3d322dcd79180c95e9060371427ae6
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: D8017C323005909FE326861DC948F2A7BDCFB86754F0904A1F905CF6E1D63CDC41C661
              Function 0150826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9ccf5579994600d47a1de344fec0775c8595d0ef129cb579954a650272d82e6
              • Instruction ID: fbb0da8b4cce2c9668e4ce9f99b65ed7417a7ee05115fbefb9858f08e05fcd0e
              • Opcode Fuzzy Hash: a9ccf5579994600d47a1de344fec0775c8595d0ef129cb579954a650272d82e6
              • Instruction Fuzzy Hash: 3C018435B10907DFDB19EBA9DC44DAF7BB9FF80620B15406A9A019F780EE30D901C691
              Function 015BEB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a7cedaec8bc446e0c68f126c37d35dab17ba2cf4b037c84da0f3f9b33ec74693
              • Instruction ID: f3d5dfcaa08e6b60bc63c7cefeed6a95178288c138d6f4a7434d9ba0042d7bfc
              • Opcode Fuzzy Hash: a7cedaec8bc446e0c68f126c37d35dab17ba2cf4b037c84da0f3f9b33ec74693
              • Instruction Fuzzy Hash: 3A0184722406129FD3365F16DC41B97BAA8FF95B50F05442AE6069F3D0D6B0D8418B58
              Function 01512582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eccf69f553eb2ad059165876a70f955980c2faf36abb63770ef08e6aaf366480
              • Instruction ID: 5a6c382dccca6c35d851dcba0fc838ea74e13b7a8e65d25c3aeef26e57230a58
              • Opcode Fuzzy Hash: eccf69f553eb2ad059165876a70f955980c2faf36abb63770ef08e6aaf366480
              • Instruction Fuzzy Hash: DCF0F933641621BBD7329F568C40F577AADFBC4BA0F114429E6059F640D630ED01CAA0
              Function 0153C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 161c44fa7354851e4e7b9d859974ca78db6fdc7ad7d26aed21b7aa4d7e89aa5f
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: DFF0C2B3600611ABD324CF8DDC40E6BFBEAEBD1A80F048129E505DB220EA31ED04CB90
              Function 015E634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3483ca9e4526f7849dfbee6c87e5ae14530491e24ebb04007f633352497fa733
              • Instruction ID: af01ff6f64865969677544ac6bb965e283b6cb7aeefe87568ea5b427ee0137ff
              • Opcode Fuzzy Hash: 3483ca9e4526f7849dfbee6c87e5ae14530491e24ebb04007f633352497fa733
              • Instruction Fuzzy Hash: D8014475E1020AEFDB04DFA9D55599EB7F8FF9C344F10405AF904EB351D6749A018BA0
              Function 0150C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 6e1fc863e7d86557d6d16c54a6cacaa0ee48c2ce6cbaf6ab38852edeaffdacbf
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 86F0FC332146339BD73316DD8840BAFA795BFD7B64F1902B5E6059F2C0C964DD0166D1
              Function 015E625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b5b7782b99b9361e72de51b2100fcb11e323f59364f4d221b23a5e1a00dfa2d5
              • Instruction ID: ed30e78ae0792d446acafac2069c536b0881021320a6b1d39dc95b74b63c06b0
              • Opcode Fuzzy Hash: b5b7782b99b9361e72de51b2100fcb11e323f59364f4d221b23a5e1a00dfa2d5
              • Instruction Fuzzy Hash: BD014471E1021AEFCB04DFA9D4559AEB7F8FF98344F10405AF904EB351D6749901CBA4
              Function 015E62D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94b0dd4871b476e07c675cb136ded7cc0f0c220719a423165f96f3a2b43639c6
              • Instruction ID: 4c18e8eace315c2c9ac4b9222b640c36b7bd1b0f731503ad904f3dd7e522e3ca
              • Opcode Fuzzy Hash: 94b0dd4871b476e07c675cb136ded7cc0f0c220719a423165f96f3a2b43639c6
              • Instruction Fuzzy Hash: A4014471E0020AEFDB04DFA9D45599EBBF8FF58344F50405AF914EB391D6749D018BA0
              Function 0154CA6F Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction ID: 83c9ad7f8a2f1bf5c36288054d0fe678f7b132fbdd97c5406a098cb8e4698c81
              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction Fuzzy Hash: BC01F4332016869BE322E71EC805F5DBFD8FF81758F0848A5FA049F6B2D6B8C800C211
              Function 015E61E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a7324d9f434385f7c488239bb9df51c4b7f0e3fdf0a843fad6432669d4aceab
              • Instruction ID: 1849718422ad226ec308cee06dde5a42807efe93c1d10e2512c0a7c5127a0c8e
              • Opcode Fuzzy Hash: 9a7324d9f434385f7c488239bb9df51c4b7f0e3fdf0a843fad6432669d4aceab
              • Instruction Fuzzy Hash: DD018F71E0024ADBCB04DFA9D855AEEBBF8BF58350F14405AE900AB280D774EA01CB94
              Function 015963C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: b4b8a43b1d468d2633348633b21aa493654ce625d9b40916350368b6bdb878c8
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 5AF0FF7210001EBFEF019F94DD80DAF7B7DFB992A8B114125FA1196160D635DD21A7A0
              Function 0159A4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be5f5cf456f550c8e31a96ea4df001a8049e48cd7cff972711d9176d8d7fc332
              • Instruction ID: 3ef4ea889c575b58979f273f65b6dddc7cb86464686caca0e6e8ef4e0ba4583a
              • Opcode Fuzzy Hash: be5f5cf456f550c8e31a96ea4df001a8049e48cd7cff972711d9176d8d7fc332
              • Instruction Fuzzy Hash: 54014536210259ABCF129E84DC40EDE7FA6FB4C764F068115FE196A220C736D971EF92
              Function 0150C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1a18cf917f342e2b237c7e0ef1893f8caa7ef81de10fadbadb62cc604d6589e
              • Instruction ID: 1ed1e0b4fa98a499ef76f013306ef1561f07f3520af4ed58a5b6f71c12f8b1d0
              • Opcode Fuzzy Hash: f1a18cf917f342e2b237c7e0ef1893f8caa7ef81de10fadbadb62cc604d6589e
              • Instruction Fuzzy Hash: FAF024716043425BF32296999C01F2236DAF7C1762F2980AAEB098F6D1EA70DC0183D4
              Function 0154656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 419df226b0f29b7909d1a5d195a46b31b938b9094e3fad1e6b4ec808dcad3dd0
              • Instruction ID: 946c61772c2d1d11187c598dedb8ab29de4837afa2e2ddafbd93f90918cf8fd9
              • Opcode Fuzzy Hash: 419df226b0f29b7909d1a5d195a46b31b938b9094e3fad1e6b4ec808dcad3dd0
              • Instruction Fuzzy Hash: 7301A471200682DBF732A72CCD48B6A37E8BB45B44F880591FE019F6D6DB38D8418614
              Function 015B437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 255f8b52235e8c6c7bd0f7025be220187933727dec84c9ded8ec88567dc99f24
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 82F0E931343F1347E735AA2D8490B6EA695BFD0D40B1D052C9513CF682DF60D8808780
              Function 0159E872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: e083ce360e70c03d1a79375ee6e272433032adc30d2d8c520bf13805bc58036b
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: 83F054337115229BDB21DE8DCC81F16B7A8FFD9A60F190465A604AF660C764EC0287D1
              Function 0159C89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c14c216128d796d97b6e401aaa8edc10e100c43b76e4569e2e725059d7ac69a7
              • Instruction ID: 1f4527605d7d88b69b965a1cf0ca4b4fd60469ea76951991637a1326001a5889
              • Opcode Fuzzy Hash: c14c216128d796d97b6e401aaa8edc10e100c43b76e4569e2e725059d7ac69a7
              • Instruction Fuzzy Hash: C8F08C716053059FC754EF28C845A1BBBE4FF99710F40465AB898DF394E634E901C796
              Function 01540854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: 41f77a6d97d6e4f2934cbe28fffead10e46be2e5ccc4c92b41e535161b289e5e
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: 23F0B472610205AFE714DF25CD01F96B6E9FF98344F258478A645DB1A4FAB0DD01CA54
              Function 0159C912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8095d296293c930a4d461540c86e08b62ce897c2782533c3479caea4826ddf1
              • Instruction ID: 395db9d19626458fd7079261e7f063c8d9baefeb4c87ff2709c64e18121d920e
              • Opcode Fuzzy Hash: a8095d296293c930a4d461540c86e08b62ce897c2782533c3479caea4826ddf1
              • Instruction Fuzzy Hash: DFF0C270A0024ADFCB04EF69C515A5EB7F4FF58300F008056B805EF385DA38EA01CB50
              Function 015147FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eeaf92ceb8b399a907148716e50bc9d5d86c6def7f1de7efa47d7b9c417bfe3e
              • Instruction ID: 5ac11abfdf0fd3271cd7f8db9f3f63aed83e2f3b16a547a630dc0f4b42d13c0f
              • Opcode Fuzzy Hash: eeaf92ceb8b399a907148716e50bc9d5d86c6def7f1de7efa47d7b9c417bfe3e
              • Instruction Fuzzy Hash: 4DF09A319166E1AEF723DB6CC058F2ABBD4BB01B20F08A96ADD898F556C734D880C651
              Function 015D0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75ba47ff9d30fd3f7a605a00b6867a37abd02cde26426fb5404566770cfd1b0e
              • Instruction ID: 8f5b06d1c750029fbda6c8c3f0fb684ced1e6e42bd5c5d721d6c892c373b8419
              • Opcode Fuzzy Hash: 75ba47ff9d30fd3f7a605a00b6867a37abd02cde26426fb5404566770cfd1b0e
              • Instruction Fuzzy Hash: D6F027364196C34ECB335FBCAC502EA2B64B7D1410F092049E4A15F245C57488A3C3A0
              Function 0154C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62467e461ee8f81a8426c8115de6706613dcf8372f12881ef18026fe7539ba32
              • Instruction ID: 61223dfea5cf0a7e3eadab5cda7144eb8fbd241ea9df73e7f90e026b4d670ed7
              • Opcode Fuzzy Hash: 62467e461ee8f81a8426c8115de6706613dcf8372f12881ef18026fe7539ba32
              • Instruction Fuzzy Hash: 15F0E2715136519FE7229B1CC148B29BBD8BBC57A9F09D936D406CF562C770E880CA51
              Function 01552619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 0708191e764860075bb3685eb2362b238549afb496fb145057c1c4478da8fdc2
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: DCE092323006026BE7519E598C90F57776EAFD2B10F04447AB9045E291CAE69C0982A4
              Function 015A6030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 0751b08239e4debf88868a666cba322b756519e75166c22471cce09617a989a1
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: 5EF0E572180604DFE3208F09D844F5AB7F8FB05364F89C025E6088F160D379EC80CBA0
              Function 01510710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 8933700c6d9013dde00e047815ac60de84855b0ebfcf87525649ffe5e943e5a9
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 16F0E53A2043459FEB16DF19C040E997BE8FB45350B000454F8428F391D731E981CB90
              Function 015449D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: ccc3fb2a9faaf105a488c4c991d9c21c40ed00142f01133ac6d76b21e472994b
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: FEE09232294546ABD3211E5A8800B7A77A7BBD17A4F150429E2008F150DBB0DC40C798
              Function 015E4164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b305053c76938a0f8ff3345e553465bbfd241f684f633c1a87a304767d63b5d0
              • Instruction ID: 64dc48415f131f57da48d2b25ba20b010b1c05d8b8249598da75d71bef723eb2
              • Opcode Fuzzy Hash: b305053c76938a0f8ff3345e553465bbfd241f684f633c1a87a304767d63b5d0
              • Instruction Fuzzy Hash: 0FF0E531E25A924FEB7ED72CE188B5E77E0BB90670F0A0554D400CF912C334DC80C650
              Function 015B678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: 6aad7a453ae647aac429dfd214c4a558fad6ad9f6ddf40051ab9719d49e8292b
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: 50E0DF73A40120BBDB2197998D01FDABFACEB90EA0F150064B600EB0D0E530DE00C690
              Function 015E08C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: e01417928566c3bd9e7dae3fa6b10dbd53f94c5494f154702453adcd0b99ea96
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: 24E09B31B447658BCB298A1DC144A57BBE8FFD5660F158069E9054B653C271F842C6D0
              Function 015125E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b3d403513c80ab3a2291f20114886400e3b141799b88e6bca7d3cc63c4555872
              • Instruction ID: 96860992590714ef278c0d70b561dfac341a475c91593d13ddcc9a208ec074e5
              • Opcode Fuzzy Hash: b3d403513c80ab3a2291f20114886400e3b141799b88e6bca7d3cc63c4555872
              • Instruction Fuzzy Hash: 58E092321105559BC322BF29DD11F8B7B9AFFA4370F114515F1555B194CB34A810C7C4
              Function 015CA456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: 8a9446d14a0dd7e3367fa0b1d0407f24da53d276d88f170c7b2c929fcb979583
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: 5DE09231010612DFE7326F6AC848B56BFE0FFD0B11F148C2DE0961A4B0D7B598C1CA40
              Function 01594000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 5207591367b741cbc3f5f545da2a2884c0c926956549e72c60113521058b8c06
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 09E0AE343002058FEB15CF19C140B667BA6BFD5A10F28C068A9488F205EB32A8438A41
              Function 0154CA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1e9f99239a553b290ca0b46a0fedb8a5a85066eaa078530a1842b639541ddd1
              • Instruction ID: da34a858e97c0b7664d9e264c28c71266e6ca5ed82931d102ee81a1516d7d400
              • Opcode Fuzzy Hash: d1e9f99239a553b290ca0b46a0fedb8a5a85066eaa078530a1842b639541ddd1
              • Instruction Fuzzy Hash: CFD02B325D20316FCB36E22ABC04FE73A99BBD1324F018C60F1089B051D5B4CC8183C4
              Function 0150823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: e69e1277e3f865d19b062a785282f4f91d82e20283b519a34709376104231397
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: F5E08C32940A22EEDB322E55DC10F5576A5FFA8B20F10482AE4811E0E4C674A881CB44
              Function 01512050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a398fd8847664259dc2ebb0377a42062433d2a08ac3846bc10a23830d825748
              • Instruction ID: c26bd65ec807d335e58791fe44f17714b65ed96617b7258a4dc997b586c1e3cf
              • Opcode Fuzzy Hash: 5a398fd8847664259dc2ebb0377a42062433d2a08ac3846bc10a23830d825748
              • Instruction Fuzzy Hash: 71E08C321104616BC312FA5DDD10F4A779AFFE9260F100121F1509B2D8CB64AC10C794
              Function 01548A90 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction ID: 8acb7b5b1b42f48dc7d32cb4d63cee641f722184dd2dc9855d6824c100489787
              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction Fuzzy Hash: EBE08633511A1487C728DE58D515B7677E4FF45730F0D463EA6134B780C574E544C794
              Function 0154E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: f4a06883bbc52c9cba9abd8c7abfc0208fa737dedf3ebe4522e38fe1c2bea85d
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: 9AD0A933214620ABD772AA1CFC00FD333E8BB8C720F060459F009DB090C364AC81CA84
              Function 0158E908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: 037929cb1ff744fba74ae376479c44a791c8765fe753d9f919a9b1accccfd1dc
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 3AE08C32910681ABDF13EF59C640F4EBBB5FB84B00F140004A4086F260C324AC00CB40
              Function 0150A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: de95d09a63521889dcee3f8b865c2261f7acf6669037ea884bbd52bdfc951730
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 6ED02233222031A3CB2A9A95A810F676905BFC5AA0F0A002C740AAB880C1088C42C2E0
              Function 0154A830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: cbcbf89191cdb9d49b9b668d08db8e3dffba1b931e65f9126379eb8a7925946a
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: 3ED012371E055DBBCB119F66DC01F957BA9FBA9BA0F444020F5048B5A0C63AE950D584
              Function 0154CA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ccd4e2370348a10b5b65099e9e7f0cfb061a8fb9fe41df8864b87ef3a044796
              • Instruction ID: 9d9d724f51392fb82459087b49dee04480f504a0531fbdd7452d06131349ebde
              • Opcode Fuzzy Hash: 0ccd4e2370348a10b5b65099e9e7f0cfb061a8fb9fe41df8864b87ef3a044796
              • Instruction Fuzzy Hash: 7DD0C735556512DBDF17EF5DCD10E6E76B4FF54644B80006CE7016A530D379EC11C650
              Function 015202A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 6da6ae57e2fbf208a10f7a05dff7bb48d55de5e7bfbfb71015cb4b203f318ed3
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 62D09236212A90CFD61A8B0CC5A5B1933A8BB46A44F810891E401CBBA2D628D940CA00
              Function 0154C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 89e9ab3cd1935e629e09491bf1560a70cd95264656302216ea2b492c182f717c
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: D7C012332A0648AFC712AE99CD01F027BA9FBACB50F000021F2048B6B0C635E820EA84
              Function 01530310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: a4e25da3f0c7fa3f5a9f04954519d4e25ae9dfe8e95c1bb2f89160f9193cb126
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 57D01236100249EFCB01DF85C890D9A772AFBD8710F108019FD190B6508A31ED62DA50
              Function 01510750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: ecba0334f2e42910e375d2e7895b62942ca295d861b03556f93ab1f996b9703e
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 47C04C797015428FDF15DB19D294F4977E4F784740F150890E805CF726E624E801CA10
              Function 01554340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27abc02ea15da8a7884cb424af7aa70a11aeb77ae369e7e6a05369d934ff2ba0
              • Instruction ID: 31f20a8fe0fdcc7e2ebcd601f10584dc6d34d47cc583aae39c23245c5741222e
              • Opcode Fuzzy Hash: 27abc02ea15da8a7884cb424af7aa70a11aeb77ae369e7e6a05369d934ff2ba0
              • Instruction Fuzzy Hash: 4B9002716059001291407158488454A4049B7E0311B59C411E4424A54CCA548A5653A1
              Function 01554650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e26308654db7d7f7da1637fd9694d286779a45eabea12a15c6df30d32cf85ca0
              • Instruction ID: 9496ef3e69f3a099423c198821bc8593232e2dba80c60fb1bf709887cdb42106
              • Opcode Fuzzy Hash: e26308654db7d7f7da1637fd9694d286779a45eabea12a15c6df30d32cf85ca0
              • Instruction Fuzzy Hash: 329002A16016004241407158480440A6049B7E1311399C515A4554A60CC658895593A9
              Function 01552BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3932e1adfa520c7660ce2bf7d1833aca44ccd074cbe1479a6e763a9ce272c37a
              • Instruction ID: 6c0f66e869775ecc41bef7989d05d1c04fd6c252c5ec454095cc12bd4374c7f4
              • Opcode Fuzzy Hash: 3932e1adfa520c7660ce2bf7d1833aca44ccd074cbe1479a6e763a9ce272c37a
              • Instruction Fuzzy Hash: FB90027120150802D1807158440464E0049A7D1311F99C415A4025B54DCA558B5977E1
              Function 01552BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 448f0c719e7bbbd5de39963eb52f73112eeccc3fb7bffdeaff14bab1b64e4928
              • Instruction ID: b24bfe2bc594e0eb70bc114ea33f72406322645d78f29665030523859229af74
              • Opcode Fuzzy Hash: 448f0c719e7bbbd5de39963eb52f73112eeccc3fb7bffdeaff14bab1b64e4928
              • Instruction Fuzzy Hash: 7390027120554842D14071584404A4A0059A7D0315F59C411A4064B94DD6658E55B7A1
              Function 01552B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 605af09727f581d6682348c626f9c90b4000da3e948cd11cbc903680c1fecd13
              • Instruction ID: 386f317751b0d177ecbc674be250cacca6c132b4c452f8d759dc280e2769edab
              • Opcode Fuzzy Hash: 605af09727f581d6682348c626f9c90b4000da3e948cd11cbc903680c1fecd13
              • Instruction Fuzzy Hash: C090027120150802D1047158480468A0049A7D0311F59C411AA024B55ED6A589917271
              Function 01552BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae6679ac7b6bc6b96ab0216c67594ca768ae377add58699fb22f11c15d402631
              • Instruction ID: ac59c0ea721f34d4b4db53e582efb407d7bc92dfe6fef2df0568e039241aed7c
              • Opcode Fuzzy Hash: ae6679ac7b6bc6b96ab0216c67594ca768ae377add58699fb22f11c15d402631
              • Instruction Fuzzy Hash: 1390027160550802D1507158441474A0049A7D0311F59C411A4024B54DC7958B5577E1
              Function 01552AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae79fbeb92abf3875200c4730565cf07df96387ae171d4b24751dd7d4c47a8b8
              • Instruction ID: 7e956d0ad7a235899b760852d1ad797fa1cc5a3badad66d3f6db61b1e510c71c
              • Opcode Fuzzy Hash: ae79fbeb92abf3875200c4730565cf07df96387ae171d4b24751dd7d4c47a8b8
              • Instruction Fuzzy Hash: D6900265211500030105B558070450B008AA7D5361359C421F5015A50CD66189615261
              Function 01552AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20d0fff208848011ce17fd3590c3b3d16de39b2ede4e196161810d967ba77841
              • Instruction ID: 4ec5a5eec2b5ebc962347fa1469be27f9225a30b737b275aa99d2ecc734496ab
              • Opcode Fuzzy Hash: 20d0fff208848011ce17fd3590c3b3d16de39b2ede4e196161810d967ba77841
              • Instruction Fuzzy Hash: 8B900265221500020145B558060450F0489B7D6361399C415F5416A90CC66189655361
              Function 01552AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db1d7bb7aeaa37fe2fbed6670e371a0d642ad468eb34b232cdff374436695829
              • Instruction ID: 6fdf9e01a36d7a674bab031145cc6174dba8bcc96ce32e903ea5bb2d1350a0d5
              • Opcode Fuzzy Hash: db1d7bb7aeaa37fe2fbed6670e371a0d642ad468eb34b232cdff374436695829
              • Instruction Fuzzy Hash: F89002E1201640924500B2588404B0E4549A7E0211B59C416E5054A60CC56589519275
              Function 01552D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e997562af4f10eb17cdf03159647256476a69b82b2bddf8acdef242c52bbd3d4
              • Instruction ID: e73504c054ca948fb5ec023c04a45b5bd7acc0282e0473e839b421f47868ef81
              • Opcode Fuzzy Hash: e997562af4f10eb17cdf03159647256476a69b82b2bddf8acdef242c52bbd3d4
              • Instruction Fuzzy Hash: E690026921350002D1807158540860E0049A7D1212F99D815A4015A58CC95589695361
              Function 01552D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8b4f6dd10c993fda15f0252019a2b897965bb1002ebb82a6abe9c23f40f1243
              • Instruction ID: b87f82eb027599a1297d67d52f13e00d0d000be982299225ec9bff966d3ef3e6
              • Opcode Fuzzy Hash: b8b4f6dd10c993fda15f0252019a2b897965bb1002ebb82a6abe9c23f40f1243
              • Instruction Fuzzy Hash: 0290026120554442D10075585408A0A0049A7D0215F59D411A5064A95DC6758951A271
              Function 01552D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af89f65b09c97f199ca226df7dd2f4a54db41aa83718326278684519256b4143
              • Instruction ID: a37ccb33c4dc261062c3203f38da4c5bbf85abf004c8686b54e3c9f994798ec8
              • Opcode Fuzzy Hash: af89f65b09c97f199ca226df7dd2f4a54db41aa83718326278684519256b4143
              • Instruction Fuzzy Hash: 3890026130150003D1407158541860A4049F7E1311F59D411E4414A54CD95589565362
              Function 01552DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6435bf7052c5bbe0cf457241764d556c0509bfca2c2b8bbee921a63106fa8ca
              • Instruction ID: 755643d1b69cccfd4a75e6a4bf85ef377a7c10e57bbbbc747ddd1b652e3b0cf4
              • Opcode Fuzzy Hash: f6435bf7052c5bbe0cf457241764d556c0509bfca2c2b8bbee921a63106fa8ca
              • Instruction Fuzzy Hash: 67900261242541525545B158440450B404AB7E0251799C412A5414E50CC5669956D761
              Function 01552DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e691b8c572a3373a03ba4a53290aa1af637fb1578e64272ed4f17fa4cc16b262
              • Instruction ID: dc13c66a5ffa06b41ab72b23f27ef6ac0fc800aadbbf6088816f94635148d784
              • Opcode Fuzzy Hash: e691b8c572a3373a03ba4a53290aa1af637fb1578e64272ed4f17fa4cc16b262
              • Instruction Fuzzy Hash: A790027124150402D1417158440460A004DB7D0251F99C412A4424A54EC6958B56ABA1
              Function 01552C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 203b0e7e5406ab4f0f07250cc536bd2185119060db69d477e6e55f0d2cd64cd0
              • Instruction ID: 226b2051ab6e406a91e91ecd3656f809e39bda801980e43b79b326b186539537
              • Opcode Fuzzy Hash: 203b0e7e5406ab4f0f07250cc536bd2185119060db69d477e6e55f0d2cd64cd0
              • Instruction Fuzzy Hash: AD90027120150842D10071584404B4A0049A7E0311F59C416A4124B54DC655C9517661
              Function 01552CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d68e06a651ce50eaa1829a64022785d7d9ac20517826218c8f362d989b0c2137
              • Instruction ID: 8ef66089caf341f2a9d921b211772797b1c7156e965cc46060d4f91ed6bbaed5
              • Opcode Fuzzy Hash: d68e06a651ce50eaa1829a64022785d7d9ac20517826218c8f362d989b0c2137
              • Instruction Fuzzy Hash: 8390026160550402D1407158541870A0059A7D0211F59D411A4024A54DC6998B5567E1
              Function 01552CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e72e4cf1dbfa84fe16179af6ff3f2703c1dd5984578a85ea4b32d0c4ff814e88
              • Instruction ID: 7b43c96a83e43689c44b62fac4f3852b644ee300bd0f4bbf0841963b9970a698
              • Opcode Fuzzy Hash: e72e4cf1dbfa84fe16179af6ff3f2703c1dd5984578a85ea4b32d0c4ff814e88
              • Instruction Fuzzy Hash: 6090027120150403D1007158550870B0049A7D0211F59D811A4424A58DD69689516261
              Function 01552CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7c7517943177a48c5e25ddfad768a3cabdc1025587a2c7ab9fc8929f6b427a9
              • Instruction ID: b2c476164711073c359068f273a124817e8e399132774a2962a56136a19d1113
              • Opcode Fuzzy Hash: a7c7517943177a48c5e25ddfad768a3cabdc1025587a2c7ab9fc8929f6b427a9
              • Instruction Fuzzy Hash: 4490027120150402D1007598540864A0049A7E0311F59D411A9024A55EC6A589916271
              Function 01552F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9593179a9ae2aefa0023bd3fa52fe73ef65f769af7919ea67505d64819af40dd
              • Instruction ID: 485343aa8af85af1f65abfbfad1d6352a3d5908c2a5c189a926fe09a6def3a06
              • Opcode Fuzzy Hash: 9593179a9ae2aefa0023bd3fa52fe73ef65f769af7919ea67505d64819af40dd
              • Instruction Fuzzy Hash: BE9002A121150042D1047158440470A0089A7E1211F59C412A6154A54CC5698D615265
              Function 01552F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d08486ba2a1d127ace83361fbe6fef0d2b37ad1b1bd0883f2fa3ef8cb343aac
              • Instruction ID: 4615bc83b40ce2e60fbfd89d672f57ef2e98b76407998b32a0da154c734b2362
              • Opcode Fuzzy Hash: 9d08486ba2a1d127ace83361fbe6fef0d2b37ad1b1bd0883f2fa3ef8cb343aac
              • Instruction Fuzzy Hash: 279002A134150442D10071584414B0A0049E7E1311F59C415E5064A54DC659CD526266
              Function 01552FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c96745cfe7615b29ba1c2d07e84974ab26fce9af4df9b56220bfd84899ebd07
              • Instruction ID: b29ca1adce3f41bc562767e712e36746f4f85d37cc5ac025fc24efdbe2b419e4
              • Opcode Fuzzy Hash: 9c96745cfe7615b29ba1c2d07e84974ab26fce9af4df9b56220bfd84899ebd07
              • Instruction Fuzzy Hash: AA900261211D0042D20075684C14B0B0049A7D0313F59C515A4154A54CC95589615661
              Function 01552F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c55472c363027fc62cdfafaa3886457167a58d970ed9c527e5d1af2a22fea32a
              • Instruction ID: 2d435744596a1c2ddfc21d9380c1710fbe5faf25678a0e32079e81bd4692ef6b
              • Opcode Fuzzy Hash: c55472c363027fc62cdfafaa3886457167a58d970ed9c527e5d1af2a22fea32a
              • Instruction Fuzzy Hash: 5490027120190402D1007158481470F0049A7D0312F59C411A5164A55DC665895166B1
              Function 01552FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a5b75427aee852fae715f9d87c65981dc37b14b8c652c03a5986ee00a19f141
              • Instruction ID: 2b477721c2339511916a80393bb6c90d62e6e57b874cc5866ba62225086467c2
              • Opcode Fuzzy Hash: 5a5b75427aee852fae715f9d87c65981dc37b14b8c652c03a5986ee00a19f141
              • Instruction Fuzzy Hash: C89002616015004241407168884490A4049BBE1221759C521A4998A50DC599896557A5
              Function 01552FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 773a531fd1642a3c57a13b1697419f3de0f511e74f575de68fc9d6f526b76a3a
              • Instruction ID: 6ae4fafffec44ee6a1b1e868f496acf3e4f3a4956b48a9766decf402feaf0420
              • Opcode Fuzzy Hash: 773a531fd1642a3c57a13b1697419f3de0f511e74f575de68fc9d6f526b76a3a
              • Instruction Fuzzy Hash: B590027120190402D1007158480874B0049A7D0312F59C411A9164A55EC6A5C9916671
              Function 01552E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fa5cd337926212c646824805dd29730f95368594d22e36cda7e138e1a95df58
              • Instruction ID: dcce4d67dae5a7aab0569824480c97761c6f7b04c28c876a55a95d5ef108eec0
              • Opcode Fuzzy Hash: 4fa5cd337926212c646824805dd29730f95368594d22e36cda7e138e1a95df58
              • Instruction Fuzzy Hash: 0A90026130150402D1027158441460A004DE7D1355F99C412E5424A55DC6658A53A272
              Function 01552EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4d5f4be9a2438d004cb8733c6abb9647c8849156319e81aa8ca14e784df2d0e
              • Instruction ID: 010c16be01a2799d04f780d8f0e27315dabbaf4ea4f9b686aff03bc0967b0e79
              • Opcode Fuzzy Hash: c4d5f4be9a2438d004cb8733c6abb9647c8849156319e81aa8ca14e784df2d0e
              • Instruction Fuzzy Hash: CD9002A120190403D1407558480460B0049A7D0312F59C411A6064A55ECA698D516275
              Function 01552E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f0bd2f40d52bdd74a8f2c9ba1bdfc684d5a79abfbf8ed5431b76b6f365a9c6d6
              • Instruction ID: 92f2ca86f1f45b3d1c76bb552f1fd574853a51c4256de9531ac1682a7ffbaec9
              • Opcode Fuzzy Hash: f0bd2f40d52bdd74a8f2c9ba1bdfc684d5a79abfbf8ed5431b76b6f365a9c6d6
              • Instruction Fuzzy Hash: 3990026160150502D1017158440461A004EA7D0251F99C422A5024A55ECA658A92A271
              Function 01552EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a1b99ec1f3a57f9160821b3038f0003064511aca12a980c382b9cf5a4da4851
              • Instruction ID: fa5b031edd49908d13a12830beb41863ca9ed0d25ae70e10f8ef5d4c22322b85
              • Opcode Fuzzy Hash: 7a1b99ec1f3a57f9160821b3038f0003064511aca12a980c382b9cf5a4da4851
              • Instruction Fuzzy Hash: 299002B120150402D1407158440474A0049A7D0311F59C411A9064A54EC6998ED567A5
              Function 01553010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b249cf5d183a4ac9973175830ec518a5492c0e2738d6ba324f958ea23a2c40d
              • Instruction ID: bcb40721a3e768e76348216471b0b83a7d7f925a94b436be24aff38561ddeeac
              • Opcode Fuzzy Hash: 2b249cf5d183a4ac9973175830ec518a5492c0e2738d6ba324f958ea23a2c40d
              • Instruction Fuzzy Hash: 6F90026120194442D14072584804B0F4149A7E1212F99C419A8156A54CC95589555761
              Function 01553090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba3f1fb69e8cb0d8719ccccb5520cd3ee66cc99649609c615b784adebdc5c063
              • Instruction ID: ffd6bd836f12f80d5e8c32dbf5b7363355c469c769b90080198eaba289a820f4
              • Opcode Fuzzy Hash: ba3f1fb69e8cb0d8719ccccb5520cd3ee66cc99649609c615b784adebdc5c063
              • Instruction Fuzzy Hash: 7890026124150802D1407158841470B004AE7D0611F59C411A4024A54DC6568A6567F1
              Function 015539B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d0b522c463d84b1953af7d31516cd2039816e38f460d8d8ac2b899c657c25138
              • Instruction ID: 0b91154b074a147066f9716a7de2754199e5cf6f5584ab005064836657fee390
              • Opcode Fuzzy Hash: d0b522c463d84b1953af7d31516cd2039816e38f460d8d8ac2b899c657c25138
              • Instruction Fuzzy Hash: 2690026124555102D150715C440461A4049B7E0211F59C421A4814A94DC59589556361
              Function 01553D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 00873a0e92a5e8d0323817c85ab00363a8dc8b5546ba90ba6e3a00645a5df8dd
              • Instruction ID: 3c3e8194873e2fc3f6705b2334277a066bf6100bc0344fb50beea1db4627e4f6
              • Opcode Fuzzy Hash: 00873a0e92a5e8d0323817c85ab00363a8dc8b5546ba90ba6e3a00645a5df8dd
              • Instruction Fuzzy Hash: 6D90027520150402D5107158580464A008AA7D0311F59D811A4424A58DC69489A1A261
              Function 01553D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0fc4adc71888bbd81cfd4c00d490a7c632a7f806fa060b88bd1ae147a502df4
              • Instruction ID: ccdb64c6dfea5312bbf729661b83142b9983c48bcdd9fc960da6daa6839f0ff3
              • Opcode Fuzzy Hash: e0fc4adc71888bbd81cfd4c00d490a7c632a7f806fa060b88bd1ae147a502df4
              • Instruction Fuzzy Hash: 0D90027120250142954072585804A4E4149A7E1312B99D815A4015A54CC95489615361
              Function 01552C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: df05b9f1413bf5fe7343f4a8778c34e4113bea51ec4eb0baf6c7af4eb321b8df
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01552890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 8df9fe440464f2e1b54bf8eede79ac68df54001d733e018b1ffc4f8ce238cdf0
              • Instruction ID: ba9c79d3345c71b9361cbe4b3aade1d3c333d50b6ae552fec81eff118d14afa5
              • Opcode Fuzzy Hash: 8df9fe440464f2e1b54bf8eede79ac68df54001d733e018b1ffc4f8ce238cdf0
              • Instruction Fuzzy Hash: 5D51E6B5A04217EFCB51DB9CC99097EFBF8BB48240B54852AF865DB641D334DE408BE0
              Function 015C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 665a7efe92207592a1b2245acd1cf895c7299010b8d75460f84b578d5b379b13
              • Instruction ID: c6a1bbd3423a974123cf50fb289f90565bf806cd8135b0f8d94b40ad85aa7955
              • Opcode Fuzzy Hash: 665a7efe92207592a1b2245acd1cf895c7299010b8d75460f84b578d5b379b13
              • Instruction Fuzzy Hash: 0751C175A00646AFCB21DEDDC89097FFBF8BB54600F04885EE596DF681EAB4DA408760
              Function 01547630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • Execute=1, xrefs: 01584713
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01584725
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01584787
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01584742
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015846FC
              • ExecuteOptions, xrefs: 015846A0
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01584655
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 29630af365d9d083208c60d41a11a0fecd736b47c2f280491883530ca0d03561
              • Instruction ID: 2ecdc55c54a5187fcd7e8376539962886818d0703c55899f0662a9d0b16a2424
              • Opcode Fuzzy Hash: 29630af365d9d083208c60d41a11a0fecd736b47c2f280491883530ca0d03561
              • Instruction Fuzzy Hash: 91515D3160021ABBEF11EB69DC45FAE77B9FF58308F540499DA05AF191D7709A418F50
              Function 015E6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction ID: 77d2ca4877c18ef5f5e992453f1834c0dd7699261c3bb86b96e8c13d23531209
              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction Fuzzy Hash: 57022671908342AFD709CF18C498A6FBBE5FFD8740F40892DB9998B250DB31E905CB92
              Function 0155B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: de8c1cfb70aa5991c51898da539a34dc56bb96ae1cfae9c6fee34d144f6ef469
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: 2381D170E112498EEF658E6CC8B97BEBBA3BF44320F18465BDC61AF281C73099408761
              Function 015C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: c1798819d9d4acb0e0dc17322672d44e774495b81cb496c3a3b426dd9116abf4
              • Instruction ID: e7fc81322c0c7ad21c7dcd830fed75ea4cb1016998224ff9420c970a8dd72c04
              • Opcode Fuzzy Hash: c1798819d9d4acb0e0dc17322672d44e774495b81cb496c3a3b426dd9116abf4
              • Instruction Fuzzy Hash: A621377AA0011A9FDB11DFB9DC509EE7BF8FF94654F44011AED05D7240E730D9018B91
              Function 0153F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 0158031E
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015802E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015802BD
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 7a83b5eac7955d193721246183f0ac74f3b735c74874d1d8f3207d03f1aa5ebe
              • Instruction ID: 52b8484a4a01ba5599e01399a3cb5374a2eb0950a04f86223e5eedbde900440c
              • Opcode Fuzzy Hash: 7a83b5eac7955d193721246183f0ac74f3b735c74874d1d8f3207d03f1aa5ebe
              • Instruction Fuzzy Hash: 7CE19031A047429FD726DF28C884B2ABBE0BB84324F140A5EF5A5DF2E1D774D945CB52
              Function 0154BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 01587BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01587B7F
              • RTL: Resource at %p, xrefs: 01587B8E
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 4c7046239dcf5321322e9428b4aeb3d120eb4a5e1efa823ab42824fcf99d71e6
              • Instruction ID: d0c4dc0ab6bc53219a4c06d2152b2642092f3cf4f10e61db1a1618fdb0c5823d
              • Opcode Fuzzy Hash: 4c7046239dcf5321322e9428b4aeb3d120eb4a5e1efa823ab42824fcf99d71e6
              • Instruction Fuzzy Hash: 4E41B3353007039FDB25DE29C840B6AB7E5FF98715F100A1DEA5ADF680EB71E8458B91
              Function 0154B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0158728C
              Strings
              • RTL: Re-Waiting, xrefs: 015872C1
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01587294
              • RTL: Resource at %p, xrefs: 015872A3
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 561652e461da1b130b8c85ffb6c0b5863d5a22e447d3b484a2b3276a6996f983
              • Instruction ID: a9be1e043e1354ab363daf5e47a3a5a0307288967847b95aed799a784e775b49
              • Opcode Fuzzy Hash: 561652e461da1b130b8c85ffb6c0b5863d5a22e447d3b484a2b3276a6996f983
              • Instruction Fuzzy Hash: 7B41B231600207ABDB21EE29CC41F6ABBA5FB98714F240A19F956EF640DB31F85287D1
              Function 015C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: 35f3734768b32747e678d03b0e36eaec69f53b7217a91c0bea8f91703510f711
              • Instruction ID: 3f9e00693629b938b5767ae8862611249fd7b30489fd9ac66c40e51601527f16
              • Opcode Fuzzy Hash: 35f3734768b32747e678d03b0e36eaec69f53b7217a91c0bea8f91703510f711
              • Instruction Fuzzy Hash: F7319872A002199FDB60DF6DCC40BEEB7F8FF54A10F44459AE949E7240EB30DA548BA0
              Function 01557D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: e5f2ac55b7c8ff5063e3d9acfdef2d52b266256b7ce1652734f635915ca56c0a
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: 5F91C471E002169FEFA4DF6DC8A06BEBBA5BF88320F94451BED65AF2C0D73099408751
              Function 01519126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.1819818662.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_14e0000_vTHGfiwMDeoOH5a.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 2779d7c056022bb21aff2589946b6d7693c3d3f0f0476f60188fc6e0088cb1ce
              • Instruction ID: 1e108c6fbf5315a2eb900ba0db4cd8b8626924a31eea0c5ca6d5622f814429f0
              • Opcode Fuzzy Hash: 2779d7c056022bb21aff2589946b6d7693c3d3f0f0476f60188fc6e0088cb1ce
              • Instruction Fuzzy Hash: A7810D75D0026A9BDB36DB54CC55BEEB7B4BB48714F0041DAEA19BB280E7705E84CFA0